This issue of Interesting Finds is exclusively about artificial intelligence. AI is everywhere in today’s headlines and everyone else is busy navigating the practical realities of artificial intelligence—both at home and at work. But separating genuine breakthroughs from hype can be difficult. Also practical use of AI can be challenging.

Cutting Through the Hype

Separating fact from fiction remains a major challenge. Live Science covers an expert survey suggesting current large language models might be a dead end for achieving true human-level intelligence—contrary to much popular hype. Among them Gary Marcus who has warned about shortcomings of LLMs for years and proposes a new approach to AI.

For those seeking clarity amid all this noise, Princeton CITP offers a helpful guide (Narayanan & Mitchell) to distinguishing between genuine progress and overblown promises in today’s headlines.

Hallucinations in language models is one of biggest AI challenges. Use of AI without proper safeguards, like fact checking, can be pretty embarassing. The Chicago Sun-Times’ May 18th summer guide issue included numerous AI-generated fake books, articles, and expert quotes mixed with real content.

To address hallucinations, MLTechniques offers practical tips for reducing such errors in real-world deployments.Meanwhile, Wired’s coverage of new bug-reporting systems highlights how software engineering is adapting to AI’s unpredictability.

Public understanding of AI—and misunderstanding—shapes its adoption as much as any technical feature. VentureBeat’s warning about anthropomorphizing AI details the risks of conflating human-like outputs with actual understanding or intent. Researchers found that LLMs also struggle to act on what they know.

AI and Risks

Security and manipulation are growing dangers of AI. The Washington Post’s investigation into LLM poisoning exposes efforts by adversaries to “groom” chatbots into spreading propaganda or misinformation. In a similar vein, 404 Media uncovered unauthorized persuasion experiments run by researchers on Reddit users without their consent, raising alarm about both research ethics and platform responsibility.

Also open-source debate is heating up: VentureBeat argues that selective transparency can itself be a source of risk—inviting misuse while undermining trust. Also Open Source and AI coding agents pose a risk, especially if used maliciously by hostile actors like rogue nations or cybercriminals. AI can also be used to extract detailed personal information from minimal data, such as identifying exact locations from photos. Traditional digital privacy concerns (like ad targeting) seem minor compared to AI’s capabilities.

Further, the Axios report on Anthropic’s deception risk warns that even leading models can develop deceptive behaviors, creating new vulnerabilities for users. Forbes looks at challenges in ethical AI leadership, focusing on ChatGPT’s tendency to provide answers that may misunderstand or misinterpret questions. The key ethical lesson is that AI tools should be used thoughtfully, with vigilant oversight to ensure accuracy and integrity.

AI systems might independently take actions that affect users’ privacy or security, raising ethical and legal challenges. While AI has potential to combat cybersecurity risks, some research shows that LLMs are unreliable for cyber threat intelligence.

AI & Work

AI’s impact on workplaces is profound but complicated. While many companies embrace use of AI, study shows that a significant number of employees use generative AI tools like ChatGPT at work but keep their usage secret due to lack of clear workplace policies and fear of negative judgment or job insecurity. This secretive behavior, called “shadow AI,” can lead to workplace friction, security risks, and hinder collaboration. Experts suggest that clear communication, supportive leadership, and collaborative AI use can reduce secrecy and improve productivity.

Some predict dramatic shifts in workplace. Artificial Lawyer provocatively suggests that many routine legal tasks may soon be automated away—though others argue that uniquely human skills will remain essential. Business Insider says data already shows that AI technologies are increasingly capable of automating tasks traditionally done by professionals, leading to significant changes in the job market.

Others are not so sure AI will take away our jobs. Workday says it has increased employee productivity by nearly 60% but AI augments rather than replaces workers. However, article emphasizes the need for continuous upskilling, blending technical and human-centric skills such as creativity, emotional intelligence, and teamwork.

At the sam etime, according to a recent Euronews survey, nearly half of employees who use AI remain skeptical about its trustworthiness—a sentiment echoed by industry leaders worried about overreliance on these tools. Similarly, the NZ Herald’s piece on “Big Tech’s AI Race” explores how even technology giants are struggling to keep up with rapid change. And a recent study by the National Bureau of Economic Research found that AI chatbots in office jobs save an average of 3% work time but have little impact on wages or overall economic productivity. 

At the end

As AI technology moves to daily life, its influence is felt everywhere—from the way we work and socialize to how we approach security and ethics. Technical innovation brings new capabilities but also new pitfalls, like hallucinations, deception, and manipulation, as well as surveillance and increated cyber attacks. Trust remains a central hurdle: both workers and the general public are grappling with what it means to rely on systems that are powerful but imperfect. Living with AI is as much about navigating risks and misconceptions as it is about seizing opportunity—and connecting these threads is key to making sense of our evolving relationship with intelligent machines.

While links I’ve collected for this issue mau seem pessimistic, I am full of hope. I believe that AI is the future and has its place in society we just need to figure out best ways how to use it minimizing potential risks. In other words, we just need to learn to cope with this new technology like we did with all others (weaving machines, cars, internet etc.).

I am not great at writing regular blog posts going deep into specific issues. But as someone who follows a wide range of content—especially on AI, digital regulation, and technology—I often come across articles, reports, and research that are just too interesting not to share. That’s why I’m starting a new post series called Interesting finds. Here, I’ll (hopefully) regularly gather and highlight the most thought-provoking content I’ve discovered, adding a bit of context so you can go deeper if something catches your eye. I hope you’ll find something useful in these curated selections.

AI and Governance

The European Union continues to lead in shaping AI governance. The EUTA-GPAI report lays out key principles and actions for Europe to maintain competitiveness while ensuring responsible AI development. This document underscores the tension between fostering innovation and maintaining strict oversight.

The IAPP’s report on the AI governance profession offers a snapshot of the emerging roles, responsibilities, and career paths within organizations striving to implement ethical and compliant AI systems. Thes is also echoed in academic analysis such as “Regulating Generative AI”, which explores how jurisdictions worldwide are grappling with new frontiers in automation and creativity.

Meanwhile, EIOPA’s consultation on AI governance looks at the growing complexity financial supervisors face as they seek to balance risk management with technological opportunity. Sidley’s summary of EIOPA’s opinion shows that sector-specific regulators are increasingly involved in interpreting how general AI rules apply within niche industries.

Academic papers “The Law and Artificial Intelligence: Regulating Autonomous Systems” and “The Regulation of Artificial Intelligence: A Comparative Analysis”, analyse regulatory trends by region and highlighting where consensus—and disagreement—lie.

Meanwhile, this CircleID article questions whether traditional multi-stakeholder models can survive the rise of state-driven digital policy. As these debates unfold, they will set the direction for innovation, economic growth, and democracy itself.

AI and Copyright

Legal uncertainty around AI and copyright is growing more visible as generative models become central to creative and commercial work. The European Parliament’s study on generative AI from a copyright perspective highlights open questions about originality, ownership, and liability, while the first AI copyright case referred to the CJEU signals that European courts will soon take up these issues directly.

This is far from just a European story. The U.S. Copyright Office’s recent report examines whether and how works created with AI can be protected under U.S. copyright law, emphasizing the importance of human authorship. Meanwhile, the UK government’s consultation invites public input on how national law should adapt to AI-generated content, reflecting similar debates globally.

Commentary from legal experts explores the complexities of authorship when AI systems are heavily involved. For example, this Technollama post looks at current disputes over who—if anyone—should be credited as the creator when machines do much of the work. Practical questions also arise in software development: as ZDNet discusses, when tools like ChatGPT generate code, the lines of ownership and responsibility are often unclear.

In seeking new perspectives, you can look to earlier digital challenges for guidance: a Dutch case about RSS feeds is being re-examined for insights into the boundaries of copyright in the age of automation.

AI and copyright question still remains unsettled—and that answers will likely come from a patchwork of court decisions, legislative reforms, and practical experimentation across jurisdictions.

AI and Safety

International alignment remains a work in progress. The UK International AI Safety Report 2025 benchmarks emerging approaches to AI safety across national borders and stresses the need for harmonized standards. Complementing this, the NSA’s joint guidance addresses data security best practices in an age where model integrity is as important as privacy.

Incident reporting is another cornerstone of safe use of AI: the OECD’s framework aims to make it easier for stakeholders to share information about AI failures or near-misses—an essential step toward learning from mistakes and preventing harm.

At the end

The regulatory landscape for artificial intelligence is becoming both richer and more complex. Europe’s comprehensive approach, the rise of new governance professions, and the push for harmonized global standards all signal that AI oversight is rapidly maturing. However, legal uncertainty remains—especially around generative AI and intellectual property—but the work toward clearer rules and responsible frameworks is undergoing. As international organizations, academics, and industry all contribute to shaping these systems, the coming years will be defined by how well we balance innovation with risk, and how effectively we coordinate across borders.

The regulation of EU’s digital landscape is changing rapidly. New laws like the AI Act, DORA, DMA, DSA, and MiCA are being adopted and coming into force, and new ones being drafted. It can be hard to keep track of everything. It felt like I was drowning in information, trying to keep up with all these changes. I needed a way to make some sense of it all. That’s when I decided to create EUdigitallaw.com.

I wanted to create a resource where everyone could easily find information about these changes, whether they’re experts or just curious about how these laws might affect their daily lives. Right now, the site is just getting started, but I’m working hard to make it a valuable resource. You’ll find:

• News: Keeping you updated on the latest developments.
• Summaries of Laws: Breaking down complex legal texts into understandable summaries.
• Resources: A collection of articles, guidelines, opinions, and tools that can help deepen your understanding.

As I continue developing eudigitallaw.com, my goal is to make it even easier for users to find the information they need, whether it’s news, legal summaries or insightful resources. (Well, adding and organizing resources and especially legal summaries still requires lot of work, but is coming.) I hope it becomes a go-to place for anyone wanting to understand the EU’s digital regulations.

While I’m running this project on my own for now, I’m open to collaborating with others who share an interest in EU digital regulations. I believe that working together can enhance the quality and reach of the information provided. I invite you to explore eudigitallaw.com and join me on this journey. Your insights and feedback would be incredibly valuable as I work to create a platform that serves our community’s needs.

Subscribe to updates!

Want to get more news and updates on EU digital news? Subscribe to my newsletter!

I am invited to participate in International Data Transfers & Compliance Summit as moderator for breakout session: Data transfers to third countries. I have participated in conferences, summits, seminars and similar events as a speaker (and as a participant, of course), but never as a moderator. So this will be a new experience for me. And I can’t say it is less work already than being speaker!

Data transfers to third countries

The topic of session – Data transfers to third countries – rises a lot of questions, issues and debates. Data transfers outside European Union has been problematic topic since dawn of EU’s data protection. Soon after the inception of requirements regarding data transfers to third countries in EU’s Data protection Directive (Directive 95/46/EC) it became clear that requirement is problematic for fast developing global economy and internet era.

Adequacy mechanism provided in Directive was not working to full potential as only small bunch of countries and territories were found as adequate to EU’s data protection level and therefore safe to transfer data to. And EU’s biggest business partner – US – was not among those countries; and could not be taken their different approach to data protection.

To address this, European Commission created Standard Contractual Clauses (SCCs) and Safe Harbor framework. However, Safe Harbor was found as inadequate means for ensuring safety of transferred data by Court of Justice of EU (CJEU). As its replacement Privacy Shield was set up just to be taken down by CJEU few years later, rising question whether such mechanism can work at all. Even more – CJEU noted that also Standard Contractual Clauses must be used with caution and every data flow outside EU must be carefully analyzed, leaving EU companies with a quest for compliance.

So much trouble around EU. But requirements for transfers of data outside country is not just EU “thing”. Other countries have them, too. For example, Russia and China have announced introduction of stricter data localization rules. Britain, on another hand, announced they want to be in the middle of data transfers and have as business friendly regime as possible. But such approach can jeopardize their (even not yet fully adopted) EU adequacy decision.

Join!

Do those problems seem familiar? We’ll try to look at those issues and find best ways to comply with applicable regulations. If you are interested in the event – there is still time to join. And best part – event is free. So head to registration and sign up! On registration page you will also be able to download event’s program.

Already have questions regarding data transfers you would like to ask panelists? Great! Go to contact  form and send them in to me and I will ask panelists. See you on session – March 31, 17.00 UTC!

Collaborate with me

I love to share my knowledge and experience. Be it by participating in a conference or leading a seminar, or having a coaching session. I also have plans on organizing similar but simpler virtual GDPR compliance summit and training. So if you have an idea or proposal – drop me a note!

Recently I was looking at fines for GDPR breaches to get better understanding on data protection landscape at the moment. I selected 10 from just December 2020 and January 2021 which were biggest or most interesting. There are more loud fines being issued already in February which I did not include in the list. But I am sharing my observations and takeaways in hopes you will find them interesting and useful, too.

1) Germany: €10.4M fine against notebooksbilliger.de for employee video monitoring without a legal basis

Fine: €10.4 million

The Lower Saxony data protection authority issued a €10.4 million fine against notebooksbilliger.de AG for video monitoring its employees for over two years without any legal basis. DPA noted that the cameras recorded workplaces, sales rooms, warehouses, and common areas, among other places, and that notebooksbilliger.de claimed that the aim of the video camera installation was to prevent and investigate criminal offences and to track the flow of goods in the warehouses.

The DPA stated that, in order to prevent theft, a company must first examine milder means, such as random bag checks when employees are leaving the business premises. In addition, video surveillance to uncover criminal offences is also only lawful if there is justified suspicion against specific persons, and that, if this is the case, it may be permissible to monitor them with cameras for a limited period of time. At notebooksbilliger.de video surveillance was neither limited to a specific period of time nor to specific employees, and that, in many cases, the recordings were saved for 60 days, which is significantly longer than necessary. In addition, the DPA outlined that customers of notebooksbilliger.de were also affected by the video surveillance, as some cameras were aimed at seating in the sales area, and that the video surveillance by notebooksbilliger.de was not proportionate in these cases.

Takeaway

• Video monitoring is particularly privacy invading processing and requires thorough evaluation of purpose, necessity, proportionality, location of cameras, records retention etc.

Press release: https://lfd.niedersachsen.de/startseite/infothek/presseinformationen/lfd-niedersachsen-verhangt-bussgeld-uber-10-4-millionen-euro-gegen-notebooksbilliger-de-196019.html

2) Spain: AEPD fines CaixaBank €6M for consent and information failures

Fine: €6 million

A customer and non-profit organization alleged that the bank’s framework agreement prevented customers from negotiating the terms of their contracts and forced them to consent to the processing of their personal data. The AEPD agreed with the complainants stating that the evidence the bank brought in their defence was imprecise, vague, not uniform and did not provide sufficient justification for their legal basis for data processing and transferring data to third parties (including other companies within the CaixaBank Group).

Takeaways

• Consent must not be forced upon customer; invalid consent means illegal processing of data.
• Processing based on legitimate interests must be justified.
• Information on processing activities and data retention must be precise and provided in uniform manner.
• Also data transfers within group must comply with GDPR requirements.

The fine represents the largest financial penalty issued under the GDPR by the AEPD to date

AEPD decision: https://www.aepd.es/es/documento/ps-00477-2019.pdf

3) Spain: AEPD fines BBVA €5M for GDPR information and consent failures

Fine: €5 million

The Spanish data protection authority (AEPD) fined Banco Bilbao Vizcaya Argentaria, SA (BBVA) €2 million for a violation of transparency principle – it provided insufficient information about the category of personal data processed, especially in relation to customer data obtained through products, services, and channels, – and €3 million for failure to obtain consent before sending promotional SMS messages to a customer, and did not have in place a specific mechanism for consent to be obtained.

Takeaways

• Transparency about processing activities is one of pillars of GDPR compliance, so is obtaining proper consent where necessary.a

AEPD decision: https://www.aepd.es/es/documento/ps-00070-2019.pdf

4) Sweden: Companies fined for no risk analysis regarding the access to data

Fines:

• Capio St. Göran: €2,9 million (SEK 30,000,000)
• Aleris Sjukvård AB: €1,5 million (SEK 15,000,000)
• Aleris Närsjukvård AB; €1,2 million (SEK 12,000,000)

The Swedish DPA fined medical companies Capio St. Göran, Aleris Sjukvård AB and Aleris Närsjukvård AB for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information systems were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes.

Takeaway

• Access management is must have in any IT system holding personal data; access to data has to be granted based on what is required for work and principle of minimum access.

Decision: https://www.datainspektionen.se/globalassets/dokument/beslut/beslut-tillsyn-capio-st-gorans-sjukhus-di-2019-3846.pdf

5) Poland: Virgin Mobile Polska fined for not having regular testing of technical measures

Fine: €460,000 (PLN 1.9 million)

Polish DPA stated that the company infringed the principles of data confidentiality and accountability by not carrying out regular and comprehensive tests, measurements and evaluations of the effectiveness of the technical and organisational measures applied to ensure the security of the data processed. Activities in this regard were only undertaken when there were suspicions of vulnerability or in connection with organisational changes. Moreover, no tests were carried out to verify safeguards related to the transfer of data between applications related to the servicing of buyers of prepaid services. The vulnerability associated with data exchange in these systems was used by an unauthorised person to obtain data from some of the company’s clients.

Takeaways

• Data security is permanent, continuous process, not a one-off activity.
• All data transfers between applications must be secured and properly tested.

More information: https://edpb.europa.eu/news/national-news/2021/polish-dpa-virgin-mobile-polska-incidental-safeguards-review-not-regular_en

6) Ireland: DPC fines Twitter €450,000 for breach notification and documentation failures

Fine: €450,000

Twitter was fined for not timely informing DPA about data breach that resulted from a bug in their software that “protected” tweets public without user’s knowledge. A third-party security company discovered the bug and informed Twitter.

The DPA found that twitter did not comply with its obligations to notify a personal data breach within 72 hours of becoming aware of it. It also found that Twitter had breached its obligations to document personal data breaches.

Takeaways

• The data controller is considered to be aware of data breach at the moment it or its data processors determine that incident might have GDPR implications.
• Data controller must ensure that its data processors inform about potential data breaches in timely manner.
• All data breaches (including non-reportable ones) must be properly documented.

Decision: https://edpb.europa.eu/sites/edpb/files/decisions/final_decision_-_in-19-1-1_9.12.2020.pdf

7) Poland: UODO fines ID Finance Poland PLN 1M for inadequate technical and organisational security measures

Fine: €250,000 (PLN 1 million)

ID Finance (owner of a lending platform MoneyMan.pl) failed to implement adequate technical and organisational measures to ensure the security of data. The company had not responded to indications about security gaps and that an unauthorised person had subsequently copied and deleted the data in the company’s server also demanding a ransom. The breach had taken place following a failed attempt to restore appropriate security configuration and that the controller, despite being notified about the vulnerability from cybersecurity specialists, failed to exercise due diligence with respect to its security systems and its processor.

This breach would not have occurred if the controller had immediately reacted appropriately to the information that the data on his server was unsecured.

In calculating the fine, Polish DPA took into consideration, among others, the scale of the breach and the controller’s delay in taking appropriate remedial action.

Takeaways

• The controller must be able to detect, address, and notify data breach – this is a critical element of technical and organizational measures.
• Any indications or information about possible technical issues must be taken seriously, investigated and addressed in timely manner.
• Delay in response of service provider is not an excuse for data controller.
• The way controller reacts to incident is taken into account by DPA when deciding on fine.

More info: https://edpb.europa.eu/news/national-news/2021/polish-dpa-id-finance-poland-checking-potential-system-vulnerabilities_en

8) Czech Republic: UOOU fines 11 organisations CZK 3.1M for unsolicited postal marketing

Fine: €119,000 (CZK 3.1 million)

Czech DPA fined 11 organisations for sending unsolicited postal marketing messages to citizens’ mailboxes. DPA stated that the possibility of sending postal messages free of charge until the end of the Coronavirus pandemic emergency period was abused for the purpose of sending marketing messages. DPA highlighted that the organisations processed data subjects’ personal addresses without a valid legal basis. Moreover, the organisations did not provide data subjects information on the commercial use of their data at the time of the first communication.

Takeaways

• Availability to process data does not mean legality of processing – all requirements must be met, including: legitimate purpose, legal basis, proper information to data subjects etc.

Press release: https://www.uoou.cz/vismo/dokumenty2.asp?id_org=200144&id=47199

9) Romania: ANSPDCP fines Banca Transilvania RON 487,380 for inadequate security measures

Fine: €100,000 (RON 487,380)

Romanian DPA fine Banca Transilvania SA for inadequate security measures that led to the breach of confidentiality and failure to secure data. Investigating a complaint DPA found that a listed document containing a client’s statement, as well as an email containing the internal conversation between the company’s employees was posted on Facebook and a website.

Takeaways

• Company is responsible how its employees process personal data.
• Sufficient security measures must be put in place to safeguard data from misuse and illegal disclosure.

Decision: https://www.dataprotection.ro/?page=Comunicat_17_12_2020&lang=ro

10) Spain: AEPD fines Vodafone €90,000 for GDPR accuracy and security violations

Fine: €90,000

Due to an error in system, clients of Vodafone España were shown data of other customers. The Spanish data protection authority (AEDP) fined Vodafone España for violations of the data accuracy principle, and the integrity and confidentiality of personal data.

Takeaways

• Data security and proper access management is important part of any IT system, as failure may lead to data breach.

AEPD decision: https://www.dataguidance.com/sites/default/files/ps-00415-2020.pdf

Conclusions

What we can se is that million euro fines for GDPR breaches are becoming a norm. At the same time it is still not clear how those fines are calculated as they seem to be scattered “all over the spectrum” even when it comes to large companies. Nevertheless, fines are for breaches of basic principles.

Lawfulness.

Processing of personal data has to be necessary and proportional. Just because you can collect data does not mean you should. Further, if you relay on consent as legal basis for processing of data, ensure it is lawful and fits all GDPR requirements. Otherwise look for different legal basis. Still, also legitimate interests as legal basis needs careful justification.

Transparency.

Be open about how you process data. Make this information easy to obtain and understand. This task, however, may not be so easy to achieve – especially if processing is very complex.

Security.

Companies gave to implement appropriate organisational and technical security measures. While it is open for discussion what that means exactly, there are some basic requirements:

• Take data security seriously. If something can go wrong, chances are – it will. If somebody points at weaknesses – better check it twice.
• Access management – ensure data is accessed only by authorised personnel and only on a “need-to” basis.
• Implement tools and processes that allow detection of data breaches. Your data processors and employees is your problem. Ensure your agreements have proper clauses and instructions are followed.
• Regularly test and review your security measures – it is recurring not “done and forget” process.
• Document all your activities – what you have implemented and how you tested it.

Last week we celebrated Data protection Day. So this is right moment to look back at previous year, how it changed, and also try to predict future developments. All statistics comes from DLA Piper GDPR fines and data breach survey: January 2021.

Regulators have been more active with fines

We saw that data protection authorities are getting up to speed with GDPR enforcement. EUR 158.5 million of fines imposed since 28 January 2020. That is 39% increase compared to just over EUR 114 million in the previous 20-month period since GDPR came into force in 25 May 2018. Without doubt, time of warnings is over and authorities expect companies to be fully compliant.

But let’s look deeper what where companies fined for, which were most active DPAs and highest fines for GDPR non-compliance.

What were the biggest GDPR fines in 2021?

The highest GDPR fine to date remains the EUR 50 million imposed by the French data protection regulator on Google, for alleged infringements of GDPR’s transparency principle and lack of valid consent.

The second largest fine is EUR 35.26 million imposed by the Hamburg data protection supervisory authority on a global retailer H&M for failing to have a sufficient legal basis for processing.

Third – Italy’s data protection supervisory authority fined a telecommunications’ operator TIM SpA EUR 27.8 million for a number of breaches of GDPR, including breaches relating to transparency obligations, failing to have a sufficient legal basis for processing personal data, and inadequate technical and organisational measures, and breach of the principle of privacy by design.

While biggest fines are impressive, in most cases they are far from maximum 4% of global turnover of companies.

What was the most common GDPR breaches in 2021?

Most fines are for violation of basic GDPR principles that are here since times of Directive 46/95/EC adopted back in 1995. While notable exception could be compliance with data breach notification requirement which was introduced with GDPR, it is evaluated in the context of failure to implement appropriate security measures.

Failure to comply with the transparency principle

Authorities have paid attention to violations of the lawfulness, fairness and transparency principle (Article 5(1)(a) GDPR making it priority. Many companies got fined for not having privacy policies or proper notices in place, or scattering information in many documents making consumers hard to find required information. Also Google’s EUR 50 million fine was for breach of transparency principle.

Failure to demonstrate a lawful basis to process

This is cornerstone principle – any processing of data must have lawful basis. In some cases, the supervisory authority concluded there simply could not be any lawful basis for the processing in question. In other cases the controller failed to demonstrate evidence of the lawful basis, chose wrong lawful basis that could not be applicable in the case, or failed to obtain GDPR compliant consent.

Failure to implement appropriate security measures

Controllers must ensure that processing is secure – no unauthorised persons can access data, systems and processess are monitored, any data breaches are quickly identified and addressed. In practice it is no easy task to achieve. But effort is what counts.

Breach of the data minimisation and data retention principles

Many companies still collect too much data. Sometimes it is just that processes were built that way (more is better) without giving a thought about data protection. Legacy systems are not so easy to re-build, dealing with non-structured data is hard. And in many cases that is not so obvious what is appropriate amount of data to collect.

Regulators aren’t always right

Supervisory authorities didn’t have everything going their way, though. Several high profile fines were overturned in courts or significantly reduced. That show there is plenty of room for disputes regarding how to apply GDPR.

UK’s ICO significantly decreased fines for Marriott International (from £99 million down to £18.4 million) and British Airways (down to £20 million from £183).

A German appeals court has slashed by 90% a General Data Protection Regulation fine levied by the nation’s federal privacy watchdog against 1&1 Telecom over call center data protection shortcomings.

Also Austrian supervisory authority’s headline EUR 18 million fine imposed on Austrian Post was overturned by the Austrian Federal Court in december.

Consumer organizations test their powers

This year we saw increase in court cases and complaints brought by consumer protection organisations. So noyb brought 101 compliant to 27 EU data protection authorities regarding non-compliant transfer of data out of EU. Later noyb also sued Luxembourg’s Data Protection watchdog for refusal to act on US companies.

British Airways is potentially facing the largest privacy class-action lawsuit in UK history over its mass customer data breach that affected 400,000 people, according to a law firm involved.

This year for sure will bring just increase in activities of consumer organisations which target not just companies for non-compliance but also supervisory authorities for lack of action.

Increase in reported data breaches

For the period from 28 January 2020 to 27 January 2021 there were, on average, 331 breach notifications per day. That is 19% increase compared to previous year’s 278 notifications per day.

I think there are 2 possible reasons for such increase:

1. Better awareness of companies regarding identification and reporting obligations. Companies get more educated both in importance to have proper tools to get alerted on incidents, and their obligations to report data breaches to authorities. Also, increased DPA activities regarding fines for failing with reporting obligations may play a role.
2. Increased cyber-security risks. Last year was special for companies as most of them moved to remote work. Neither companies nor employees were ready for such shift. Work from home put data under increased risk as employees used their own (often unsecured) equipment for processing data or made data available to their household members. And, of course, cyber-criminals were more active than ever to use this new situation for their own gain.

Thus, I am of opinion that in 2021 we will see further rise in reported data breaches. For many companies there is still much of work to do to address risks created by remote work – both technologically as well as in training of employees.

Takedown of Privacy Shield

CJEU’s decision to repeal Privacy Shield was probably loudest data privacy case in 2020. Not just in EU but especially in US. Moreover, the decision impacted all data transfers outside EEA to countries without “adequate data protection” as court noted that any such transfers must be scrutinized and derogation measures can’t be applied just formally. Companies are required to evaluate legal regime of data importer countries and how it can apply to specific data transfer- huge burden for companies. In addition, technical measures (as encryption) must be used to secure data.

Brexit

Both EU and UK companies and privacy experts were closely watching Brexit negotiations to understand whether any additional safeguards are to be applied to data transfers or they can continue as used to. The solution was found at last minute and was .. to give additional 4-6 months to find a solution. Some relief to companies but uncertainty is till there.

New data protection guidance from authorities

There are still many open legal questions and uncertainties in the interpretation and application of GDPR. It will take time to clear them out. Therefore any new guidance is welcome. Both local authorities and European Data Protection Board (EDPB) were actively working on new GDPR guidance.

Also, CJEU issued several notable decisions on data protection and e-privacy questions, deciding, for example, that:

• EU law prohibits State authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies,
• Invalidity of privacy Shield as tool for data transfers from EU to US,
• pre-ticked boxes are not compliant with GDPR‘s consent requirements,
• Parliament’s petition committee must be categorised as a ‘controller’.

In November European Commission released a draft set of new Standard Contractual Clauses (SCCs) that will replace long outdated existing ones.

The hard work on GDPR guidance will continue this year, too, of course. And there are some new decisions expected also from CJEU to shed a light problematic issues of GDPR application.

Conclusion

While the big “hype” in public around GDPR is settling down, privacy and data protection is not going away. On contrast – we see that both data protection authorities and consumer organisations are getting more sourced and knowledgeable to bring data protection to next level. Companies should play along and keep their processes compliant.

This post will be more for myself. As a point of reference, or line of thought.

Recently I decided to make changes to my online appearance – what and how I tell people about myself and what I share with others. You see, I love a lot of things in my life – photography, law, building websites, drawing, travel, and design. They are kind of not closely related, so I treated them separately, had a separate websites and social media accounts to cover those topics. But then I realized – they do relate through me. They are part of who I am. I am not just a lawyer, or a photographer, or geek, or wannabe internet entrepreneur – I am all of those things.

Therefore I decided to embrace them all together. And share with others – I mean you.

One website to rule them all

So I am slowly bringing all my work to this website – it will be mix of things I like. Will see how it goes. But the benefits I see from such move are (or should be – will find out):

• People will know me better – not just one part of me.
• Hopefully people who follow me because of one topic will get interested in other things I like and do, too.
• Less work to maintain websites and social media accounts. That actually takes so much time!
• More time to create as I will be spending less on maintenance tasks.
• I hope it will help me get wider audience and better SEO for this website, too.

Getting all together includes also Latvian site – I am bringing it along, too. Again, – less work for maintenance and more time for creating stuff. Plus new experience in creating complex multi lingual sites. Will be some tinkering around WordPress, but I love it.

However, some projects will remain separate, as they are – dpo.guide, dataprotection.news, inspiration.space, and perhaps dataprotection.blog, too. They are projects – specific topics or stuff I work on, hoping they will be useful for others and maybe others will join in developing them.

Side note: If you interested in or wish to participate in any of my projects, just drop me a note!

Newsletter

I’ve also created a newsletter to share my thoughts, what I work on, what I read or find interesting. No fluff or selling. Just pure sharing of useful – at least in my opinion – information. And hope for discussion. Actually, while being introvert, I am lacking good discussion around interesting topics. Not just the one in comments under blog posts but personal. Person to person. have any ideas? Let’s connect!

So, got you hooked? (I really hope I do!) If so, join my newsletter!

On 26 April 2006 the Council of Europe decided to launch a Data Protection Day to be celebrated each year on 28 January, the date on which the Council of Europe’s data protection convention, known as “Convention 108”, was opened for signature. That was first legally binding international law in the field of data protection. Data Protection Day is now celebrated globally and is called Privacy Day outside Europe.

Since Convention 108 – that has been adopted already in 1980 – Europe has been trendsetter of privacy regulation. And General Data Protection Regulation (GDPR) was turning point that attracted attention far beyond borders of European Union. Public and regulatory interest in data protection issues has increased significantly over the last few years. And with each big data breach or data misuse it grows just bigger.

So far already 107 countries have put in place legislation to secure the protection of data and privacy. Data protection is not just European thing – Asia and Africa show a similar level of adoption of privacy laws, with less than 40 per cent of countries having a law in place. Also, in US data protection laws have been introduced in many states, and federal law is under serious discussion, too. 

What to expect in 2020?

Increased GDPR enforcement

European Union (EU) regulators will ramp up GDPR enforcement across the board, and with a particular focus on AdTech, cookies, and children’s data. So far EU data protection regulators have imposed €114 million  in fines under the GDPR regime for a wide range of GDPR infringements.

ePrivacy Regulation 

Future of ePrivacy Regulation is still unknown. Most probably it will either move forward under Croatian presidency, or be withdrawn altogether. At the same time, EU regulators are looking deeper into cookie compliance. Guidance on cookies was issued by UK, French, German and Spanish regulators, and the Court of Justice of European Union (CJEU) delivered its judgement in Planet49.

Adtech

Adtech has attracted attention of data protection authorities already in 2019, and regulators will focus on this area even further in 2020. Big players are adding push on adtech industry, too. For example, Google announced that it will phase out third-party advertising cookies over the next two years.

Biometrics

Last year was the year of facial recognition, with lots of press attention around its use in policing as well as by corporations. There are significant advantages to biometrics, such as security, but  there is also a lots of privacy challenges associated with use of the technology. EU is already considering possible ban on facial recognition tech in EU.

AI and new technologies

Legislators and regulators are looking to take concrete measures on AI and new technologies. For example, European regulators are working toward a unified approach to regulating big tech companies’ voice assistant programs.

International data transfers

We’re waiting for Court of Justice of the European Union decision regarding validity of standard contractual clauses (SCCs) to legitimise transfers of personal data outside the EEA. SCCs will likely have to undergo major reform to escape the same fate as the now-defunct Safe Harbor Framework. Also, the European Commission (EC) intends to issue an adequacy decision for the UK by the end of the transition period (31 December 2020) which would allow data flows from the EEA to the UK to continue uninhibited too, but this is a fairly ambitious deadline.

What to do?

It is evident that data protection and privacy issues will remain in focus of both regulators and consumers. There is no way around it so the best approach is to integrate privacy in into daily business practices and try to find competitive edge. Consumer trust is becoming even more important. It can be a key differentiator for companies, especially those engaging with new and emerging technology.

On 21 January 2019, French data protection authority Commission Nationale de l’Informatique et des Libertés (CNIL) imposed a penalty in amount of €50 million on Google’s U.S. headquarters – Google LLC – for infringements of General Data Protection Regulation (GDPR). Specifically, for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.

The CNIL found that the general structure of Google’s privacy policy and terms & conditions are too complex for the average user, and that Google also failed to establish a legal basis for data processing for targeted advertising (as it used pre-ticked boxes as a consent mechanism).

History of case

On 25 and 28 May 2018 – just after GDPR came in full force – CNIL received group complaints from the associations None Of Your Business (founded by privacy activist Max Schrems) and La Quadrature du Net. La Quadrature du Net was mandated by about 10 000 people to refer the matter to the CNIL. The associations claimed that Google did not have a valid legal basis to process the personal data of its users, particularly for ads personalization purposes. The complaints focused specifically on Android’s set-up process where users need to create a Google account in order to use their device.

When CNIL started investigating the complaints, Google insisted that CNIL has no authority over it as Google’s European headquarters are lacated in Ireland and Irish data protection authority (DPA) should be leading the case in accordance with the “one-stop-shop mechanism” – GDPR provisions on international cooperation of EU data protection authorities. Therefore, on 1st June 2018, the CNIL sent these two complaints to its European counterparts to assess if it is competent to deal with them.
Communication with the other authorities, in particular with the Irish DPA, revealed that Google’s Irish establishment did not have a decision-making power on the processing operations carried out in the context of the mobile operating system Android and the services provided by Google LLC in relation to the creation of an account during the configuration of a mobile phone.

In particular, the CNIL pointed to the fact that Google Ireland Limited was not mentioned in the privacy notice as the decision-making entity for processing activities related to Android users, and that it did not develop the Android operating system (Google LLC did). Besides, Google itself confirmed that it was in the process of “transferring responsibility” from Google LLC to Google Ireland Limited for the processing operations covered, and that this process would only be finalized by 31 January 2019. Therefore CNIL decided that the “one-stop-shop mechanism” is not applicable and CNIL (like any other EU data protection authority in given circumstances) is competent to take any decision regarding processing operations carried out by Google LLC.

In September 2018 CNIL carried out online inspections to verify the compliance of Google’s processing operations with the French Data Protection Act and the GDPR. In particular CNIL analysed the browsing pattern of a user and the documents user can have access, when creating a Google account during the configuration of a mobile equipment using Android.

On 21 January 2019, the CNIL’s Restricted Committee – which is responsible for imposing sanctions – imposed on Google LLC a fine as it observed two types of GDPR infringements:

• violation of Google’s transparency obligations under the GDPR (specifically of Articles 12 and 13 of GDPR), and
• the lack of a legal basis for processing personal data (a requirement under Article 6 of GDPR) for advertising purposes.

Violations

CNIL found that Google LLC has breached following GDPR requirements.

1. Inefficient transparency and information

To proceed with an in-depth analysis of Google’s information practices, CNIL applied the transparency criteria established by Working Party 29 and endorsed by EDPB. CNIL found that the information Google provides to its users on its data processing activities is not easily accessible, sufficiently clear and intelligible. That prevents users from determining, in advance, the extent and consequences of the processing of their personal data. Failure to provide data subjects with sufficient transparency and information is a breach of Article 12 and 13 of the GDPR.

Insufficient accessibility to the information

Information about Google’s data processing activities is disseminated across several documents that are provided to users at different times. In addition to this fragmented information, in order to be able to understand what data is collected, for which purposes and for how long Google will process their data, users are forced to navigate and cross-check a large amount of information, across complex web notices and policies, clicking many links. The CNIL assessed that, in the case of targeted ad processing, five different user actions were required in order to access the full set of information that applies to the processing of the user’s data.

While generally DPAs encourage use of “layered” approach in providing information to individuals, CNIL notes that Google uses information “layers” in a way that adds complexity to information rather than making it easier to understand. This complexity results in a general lack of accessibility, making it hard for users to find and understand the information.

Lack of clear and understandable information on data and purposes

The CNIL points out that in the course of providing its services Google processes a very large amount of personal data that is gathered through various sources, and such processing may reveal sensitive data (e.g. political and other interests and opinions, life style, tastes etc.). That makes Google’s data processing activities “massive and intrusive”. Taking into account the nature of the processing and its impact on the data subjects, the first layer of information provided by Google’s “Privacy & Terms” and “Terms of Service” is not sufficient for users to understand the full extent and consequences of the processing activities Google carries out on their personal data:

• the description of the purposes is too generic (g. “improve the services we provide to our users”); and
• the description of the data collected is “particularly incomplete and inaccurate”.

However, the CNIL admits that thorough information provided directly within that first layer would be contrary to the transparency requirement due to the number and extent of Google’s data processing activities. In this respect a different presentation of the “Privacy & Terms” could enable more visibility on the characteristics of data combination activities carried out depending on their data processing purpose.

Unclear information regarding legal basis for targeted advertising

Google does not provide information about legal basis for processing of data for targeted advertising in a sufficiently clear and understandable way – while Google argues that it relies on data subjects’ consent as the exclusive legal basis for such processing, for other kinds of targeted advertising it indicates legitimate interests as a legal basis. Therefore, users are not able to understand the difference between the category of customised advertising, which are based on customer’s consent and the other forms of targeting, which are based on Google’s legitimate interests.

Missing information on retention period

Google does not provide period for which it stores data or even the criteria used to determine such period, as required by Article 13(2)(a) of the GDPR. Indeed, only a general explanation on the purpose of the retention period is provided without any precise retention term or criteria enabling to determine such period.

Google’s tools for transparency and information are not sufficient

CNIL welcomed the tools Google implemented to improve user’s access to information about their data. However, they are only available once the user’s account has been created and does not provide such information to data subjects at the time the personal data is collected, as required by Article 13 of the GDPR. Google account is set-up by default to enable customized features (such as personalized recommendations and adverts) that are based on pre-ticked boxes, preventing users from making a choice during account creation.

2. Lack of legal basis for ads personalization

Google states that it relies on the users’ consent to process their personal data for ads personalization purposes. However, such consent is not valid for following reasons:

• The users’ consent is not sufficiently informed (for the reasons detailed above).
• It is neither unambiguous, nor specific, as required by GDPR:
  • Google uses pre-ticked check-boxes by default for the user’s preferences.
  • When creating account, user has to specifically click on “more options” to access preferences. Otherwise, user’s consent will be deemed given to Google. Therefore, the user would not consent with a clear affirmative action.
  • Google requires the users to consent to the privacy policy, the terms of use and to select “create an account” as a whole. Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by Google, including behavioral advertising, not for specific purposes.

Fine applied to Google for GDPR breaches

For violations of GDPR the CNIL imposed on Google LLC a financial penalty of €50 million. This is the first time that the CNIL applies the new sanction limits provided by the GDPR. CNIL justifies the decided amount and the publicity of the fine by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.

Despite the measures implemented by Google (documentation and configuration tools), the infringements are substantial as they can impact important parts of individual’s private life since they involve a huge amount of data, a wide variety of services and almost unlimited possible combinations. Moreover, the violations is not a one-off, time-limited, infringement but are continuous breaches of the Regulation as they are still observed to date.

Finally, Android operating system has important place on the French market, impacting millions of users. Furthermore, CNIL points out that the economic model of the company is partly based on the ads personalization. Therefore, it is of its utmost responsibility to comply with the obligations on the matter.

Takeaways from case

The case raises a number of important privacy issues.

Even companies not based in EU must follow GDPR

CNIL fined Google LLC – a company not based in EU. That means that even companies which are not based in Europe must follow the tough new rules if they want their sites and services to be available to European users. CNIL’s decision is strong indication that being located outside EU is not an obstacle for data protection authorities to go after them in case of substantial breaches.

‘One stop shop’ and main establishment

The decision dismisses the application of the GDPR’s one-stop-shop by holding that Google Ireland Limited is not Google’s main establishment in the EU (which would make the Irish data protection authority the competent authority, instead of the CNIL). CNIL decided that Google has no main establishment in the EU because:

• the decisions over the processing of data relating to Android and Google accounts are made by Google’s headquarters in the US (i.e. Google LLC), not by Google Ireland Limited,
• Google’s privacy policy does not mention Google Ireland Limited as the controller, and
• Google Ireland Limited has not appointed a data protection officer to oversee Google’s processing operations in the EU.

Consequently, in the absence of a main establishment in the EU, Google LLC could not benefit from the “one-stop-shop” mechanism, as it was not possible to clearly identify the lead supervisory authority. With no main establishment in the EU, Google LLC could potentially be subject to enforcement by any supervisory authority in the EU.

The decision demonstrates a willingness by regulators to interpret the “main establishment” concept restrictively, which, for non-EU headquartered companies, could render the one-stop-shop redundant and expose them to enforcement by several authorities. Moreover, there can also be different controllers for different processing activities within the same group and thus different lead authorities, which can make “one-stop-shop” mechanism very complex.

Transparency obligations

This decision will require companies to review information and the manner they provide they provide it to data subjects. It emphasizes a need for notices that are user-friendly, comprehensive and exhaustive at the same time. That is hard task for organisations processing large amount of personal data for different purposes, as it also requires thorough and centralised knowledge about organisations processing activities. At the same time it is evident that DPAs recognises tools and mechanisms that empowers users and make access to their data and information easier and more convenient.

Consent and legal basis for processing

Companies have to be clear what exactly are legal basis for processing of data. Mixing them and being unclear may lead to violation of GDPR. And where legal grounds for data processing is consent, strict rules of GDPR has to be followed. CNIL’s decision re-emphasis that under the GDPR consent must be “given by a clear affirmative act establishing a freely given, specific, informed and ambiguous indication” of the individual’s will. Pre-ticked boxes are not considered as a valid consent. Also, consent has to be collected for each of processing activities, rather than one consent for all of them.

Penalties

While many hoped data protection authorities would adopt a conciliatory approach for several more months, it is now clear that the grace period is over and fines will follow. The fine also indicates that €20 million is not the limit and threshold 4 % of the total worldwide annual turnover can be applied instead to big companies.
The CNIL observed following reasons that were considered calculating the fine:

• the nature of the infringement: Google violated violation of the basic key data protection principles (transparency and lawfulness);
• the duration of the infringement: violations were continued;
• the scope of the infringement: Google, with its operating system Android, occupies an important position on the operating system market, and
• taking into account the purpose of processing, the scope of data and the number of affected data subjects (massive and intrusive collection of personal data), violations were severe;
• the gain obtained from the infringement: the business model of Google is essentially based on the exploitation of personal data of its users, from which it gets benefits.

Unfortunately, no more specific indication are given as to how the fine was calculated, nor as to how importance of each of the cited factors. Given Google’s France’s “limited” turn-over, the fine is clearly based on the turn-over of Alphabet, the holding company.

As one of the first and loudest cases, this case may set a “benchmark” for further regulatory fines for GDPR breaches.

Plans to implement GDPR

Just like most companies whose business models rely on the processing of EU citizens’ data, Google made efforts to increase data usage transparency and improve privacy settings access for the GDPR’s arrival last year. Apparently company hasn’t done enough to meet expectations of its users and GDPR.

CNIL recognised the efforts undertaken by Google towards greater transparency and users’ information, as well as providing users with improved control over their personal data. Nevertheless, the CNIL found that Google’s current information practices do not comply with the basic GDPR requirements. That means that efforts made to comply with GDPR will have a positive influence on data protection authority, however, basic principles shall be met.

Associations can complain, too

Both complaints that initiated CNIL’s investigations were brought by two associations, not data subjects themselves. Google contested the right of associations to complain for GDPR breaches on behalf of customers, as this is not provided in procedural laws. However, CNIL pointed out that Article 80 of GDPR provides such right and obligation for institutions to accept complaints without additional formalities. Even more – such associations may receive compensation for breach of its members’ privacy rights.

It should be noted that associations are more qualified to prepare legally sound complaints that individuals. And that means we will see more and more cases initiated by associations.

What’s next?

Appeal of CNIL’s decision

The CNIL’s decision is now open for appeal before the French Council of State for a period of 4 months. Google has already publicly announced its intention to appeal the CNIL’s decision. Company issued a statement saying:“We’ve worked hard to create a GDPR consent process for personalised ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing. [..] We’re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons, we’ve now decided to appeal.”

More fines from other EU DPA’s?

The fine only relates to the French processing (given that the CNIL is not competent in these circumstances to impose fines in respect of infringements in other member states), and it remains to be seen if any other DPA will seek to impose fines for their jurisdiction. It is already evident that CNIL is not the only EU’s data protection authority aiming at Google for GDPR breaches. Recently UK’s watchdog the Information Commissioner’s Office (ICO) announced that it also looking into whether Google has violated the General Data Protection Regulation (GDPR). ICO said it is working with other regulators around Europe to consider its next possible steps after a number of complaints had been raised.

Today is international Data Protection Day. Yes, that’s official day! Data Protection Day, or as it is called outside Europe – Privacy Day, is celebrated each January 28th already since 2007.

In 2006 the Council of Europe launched a Data Protection Day to be celebrated each year on 28 January, the date on which the Council of Europe’s data protection convention, known as “Convention 108”, was opened to signature.

Now Data Protection Day is celebrated globally. This is the date to raise awareness about the rights to personal data protection and privacy.

Protection of personal data becomes more important each day. People are more and more concerned about how their data is used. EU data protection authorities have received almost 100,000 complaints since EU GDPR is enacted. And just few days ago French authority issued first significant fine under GDPR – €50 million – to Google for “for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization”.

That is bold move by DPAs to force companies to implement GDPR requirements not just formally and superficially, but according to its spirit and principles.

Number of complaints and news on applied fines for GDPR breaches is clear sign that May 25th, 2018 wasn’t end date of GDPR compliance – rather it was just beginning. We will see more often about such fines and other actions from authorities.

And it’s not just about Europe – countries in other regions, too are enacting similar laws. Even US is debating necessity to adopt federal law.

By the way – to mark the occasion, the Committee of the Council of Europe’s data protection treaty “Convention 108” has published Guidelines on Artificial Intelligence and Data Protection. AI brings new possibilities and new era of data protection challenges – like internet did. So it is just matter of time we will see a new update to GDPR, Convention 108 and other privacy regulation.