The documents, which were supposed to prove that the risk analysis had been conducted, were inconsistent and full of ambiguities. The hospital did not indicate which processes it was analysing, nor did it link these processes to identified threats, vulnerabilities and the final risk assessment. When explaining what technical measures it used to secure its IT systems, the administrator referred to an audit conducted for compliance with the act on the national cybersecurity. However, this act focuses primarily on ensuring a safe and uninterrupted system for providing services, and not \u2013 as is the case with the GDPR \u2013 on protecting the rights and freedoms of natural persons.<\/p>\n\n\n\n
The hospital did not implement an appropriate procedure for performing and documenting recovery tests, and did not apply appropriate security measures for the backup copies created, which could have contributed to the fact that the hospital was unable to fully restore the data lost as a result of the attack.<\/p>\n\n\n\n
Stay up to date! Sign up to receive our fortnightly digest via email.<\/mark><\/a><\/h5>\n\n\n\nOther legal developments<\/h4>\n\n\n\n![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdt60U-rgZpsscxy4WbV1KYwr5nJv22ni5DvfFFlSDsG3HBT-y5FopgQfnYr0l12vhOQfiMItXZ9j_gANfF-p7MxVfcUkq_iN1HHTZTB1G1w8RSyrYYgQh2EhXm4ob72L8TxAdqng?key=_MeIxJMdyKA5I3vdXXpFLg\")
<\/figure>\n<\/p>\n\n\n\n
From 19 June, the Data Use and Access Act 2025<\/strong> (DUAA) amends, but does not replace, the UK General Data Protection Regulation (UK GDPR)<\/a>, the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR), to promote innovation (eg, commercial scientific research, automated decision-making) and economic growth. Whilst it still protects people and their rights, the DUAA simplifies personal data usage in the following ways:\u00a0<\/p>\n<\/div><\/div>\n\n\n\n\n- New \u2018recognised legitimate interests\u2019 lawful basis of data processing (from public safety to direct marketing)<\/li>\n\n\n\n
- Assumption of compatibility for some data reuses<\/li>\n\n\n\n
- \u2018Soft opt-in\u2019 (eg, for charities)<\/li>\n\n\n\n
- More flexible requirements on cookies<\/li>\n\n\n\n
- Reasonable and proportionate subject access requests, etc.<\/li>\n<\/ul>\n\n\n\n
At the same time, if you provide an online service that is likely to be used by children, the DUAA explicitly requires you to take their needs into account. The data subject complaints must also be facilitated by offering electronic complaint forms and respecting the 30-day legal time frame for acknowledgement and response. The changes will be phased in between June 2025 and June 2026. More summaries of changes can be found here<\/a> and here<\/a>.<\/p>\n\n\n\nGDPR enforcement ease:<\/strong> The Council of the European Union and the Parliament have reached a deal to make cross-border GDPR enforcement work better for citizens. Once adopted, the regulation will speed up the process of handling cross-border GDPR complaints, and any follow-up investigations<\/a>. The co-legislators agreed on an overall investigation deadline of 15 months, which can be extended by 12 months for the most complex cases. The early resolution mechanism will allow data protection authorities to resolve a case before triggering the standard procedures for handling a cross-border complaint. This may be the case where the company or organisation in question has addressed the infringement and where the complainant has not objected to the early resolution of the complaint.<\/p>\n\n\n\nAI and web scraping<\/h4>\n\n\n\n![\"risk](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXd_6hbQWpi0nKp3MeYUIsZ-R025WEmfSsv-NvZEl1NLAL3DUH1uoes2g4LKRkC1klQivlNl3Md9eTZrOTdOOyQJktXp7NiCph7rnJ7gAy77EyY7yGNoCfQRE9I6H2IwpAIh_vWdqQ?key=_MeIxJMdyKA5I3vdXXpFLg\")
<\/figure>\n<\/p>\n\n\n\n
The GDPR, in many cases, applies to AI models trained on personal data, due to their memorisation capabilities. To that end, a French CNIL guide specifies the conditions for using legitimate interest in the development of AI in the case of web scraping. In line with the opinion adopted by the EDPB in December 2024, the CNIL considers that the development of AI systems does not systematically require the consent of individuals. Legitimate interest is a possible legal basis<\/a> for the development of AI systems, subject to strong safeguards. <\/p>\n<\/div><\/div>\n\n\n\nThe guide offers examples of concrete safeguards adapted to the different types of AI systems: exclusion of certain data from collection, increased transparency, facilitation of the exercise of data subject rights, etc. For example, the reuse of future conversations of users with a chatbot for the improvement of the AI model can be based on legitimate interest provided that certain strong guarantees are put in place: information for individuals, right to object, restriction of processing towards pseudonymised\/anonymised data, etc. <\/p>\n\n\n\n
More from supervisory authorities worldwide<\/h4>\n\n\n\n
COPPA update:<\/strong> In the US, the amended Children’s Online Privacy Protection Rule took effect on 23 June. It includes a new definition for a mixed audience website<\/a> or online service that is intended to provide greater clarity regarding an existing sub-category of child-directed services. The amendments also modify operators’ obligations concerning direct and online notices; information security, deletion, and retention protocols; annual assessment, disclosure, and reporting requirements. It also adopts rules related to parental consent requirements, methods of obtaining verifiable parental consent, and exceptions. <\/p>\n\n\n\nBiometric identifiers vs biometric data:<\/strong> The JDSupra legal blog explains the differences between the two categories<\/a>, specified in the Colorado Privacy Act, which went into effect on July 1: Biometric identifiers<\/strong> is data generated by the technological processing, measurement, or analysis of a consumer\u2019s biological, physical, or behavioral characteristics which can be processed for identification. Biometric data<\/strong> is a subset of biometric identifiers which are used or intended to be used for identification purposes. It does not include digital or physical photographs, audio or voice recordings, or any data generated from a digital or physical photograph or an audio or video recording unless any of these are used for identification purposes. Both categories can be considered sensitive data and can require a privacy notice and consent. <\/p>\n\n\n\nChild data: <\/strong>Also in the US, New York\u2019s Child Data Protection Act (NYCDPA) went into effect on June 20. The Office of the Attorney General issues the practical guidance<\/a> in advance concerning the application of NYCDPA to minors’ data and the federal COPPA Rules; operator responsibilities concerning user-provided age flags; requirements for schools, school districts, and their third-party contractors; parental requests for products and services, etc. The guidance refers to a website, online service, online application, mobile application, or connected devices directed at minors. <\/p>\n\n\n
<\/figure><\/p>\n\n\n\n
From 19 June, the Data Use and Access Act 2025<\/strong> (DUAA) amends, but does not replace, the UK General Data Protection Regulation (UK GDPR)<\/a>, the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR), to promote innovation (eg, commercial scientific research, automated decision-making) and economic growth. Whilst it still protects people and their rights, the DUAA simplifies personal data usage in the following ways:\u00a0<\/p>\n<\/div><\/div>\n\n\n\n At the same time, if you provide an online service that is likely to be used by children, the DUAA explicitly requires you to take their needs into account. The data subject complaints must also be facilitated by offering electronic complaint forms and respecting the 30-day legal time frame for acknowledgement and response. The changes will be phased in between June 2025 and June 2026. More summaries of changes can be found here<\/a> and here<\/a>.<\/p>\n\n\n\n GDPR enforcement ease:<\/strong> The Council of the European Union and the Parliament have reached a deal to make cross-border GDPR enforcement work better for citizens. Once adopted, the regulation will speed up the process of handling cross-border GDPR complaints, and any follow-up investigations<\/a>. The co-legislators agreed on an overall investigation deadline of 15 months, which can be extended by 12 months for the most complex cases. The early resolution mechanism will allow data protection authorities to resolve a case before triggering the standard procedures for handling a cross-border complaint. This may be the case where the company or organisation in question has addressed the infringement and where the complainant has not objected to the early resolution of the complaint.<\/p>\n\n\n\n <\/p>\n\n\n\n The GDPR, in many cases, applies to AI models trained on personal data, due to their memorisation capabilities. To that end, a French CNIL guide specifies the conditions for using legitimate interest in the development of AI in the case of web scraping. In line with the opinion adopted by the EDPB in December 2024, the CNIL considers that the development of AI systems does not systematically require the consent of individuals. Legitimate interest is a possible legal basis<\/a> for the development of AI systems, subject to strong safeguards. <\/p>\n<\/div><\/div>\n\n\n\n The guide offers examples of concrete safeguards adapted to the different types of AI systems: exclusion of certain data from collection, increased transparency, facilitation of the exercise of data subject rights, etc. For example, the reuse of future conversations of users with a chatbot for the improvement of the AI model can be based on legitimate interest provided that certain strong guarantees are put in place: information for individuals, right to object, restriction of processing towards pseudonymised\/anonymised data, etc. <\/p>\n\n\n\n COPPA update:<\/strong> In the US, the amended Children’s Online Privacy Protection Rule took effect on 23 June. It includes a new definition for a mixed audience website<\/a> or online service that is intended to provide greater clarity regarding an existing sub-category of child-directed services. The amendments also modify operators’ obligations concerning direct and online notices; information security, deletion, and retention protocols; annual assessment, disclosure, and reporting requirements. It also adopts rules related to parental consent requirements, methods of obtaining verifiable parental consent, and exceptions. <\/p>\n\n\n\n Biometric identifiers vs biometric data:<\/strong> The JDSupra legal blog explains the differences between the two categories<\/a>, specified in the Colorado Privacy Act, which went into effect on July 1: Biometric identifiers<\/strong> is data generated by the technological processing, measurement, or analysis of a consumer\u2019s biological, physical, or behavioral characteristics which can be processed for identification. Biometric data<\/strong> is a subset of biometric identifiers which are used or intended to be used for identification purposes. It does not include digital or physical photographs, audio or voice recordings, or any data generated from a digital or physical photograph or an audio or video recording unless any of these are used for identification purposes. Both categories can be considered sensitive data and can require a privacy notice and consent. <\/p>\n\n\n\n Child data: <\/strong>Also in the US, New York\u2019s Child Data Protection Act (NYCDPA) went into effect on June 20. The Office of the Attorney General issues the practical guidance<\/a> in advance concerning the application of NYCDPA to minors’ data and the federal COPPA Rules; operator responsibilities concerning user-provided age flags; requirements for schools, school districts, and their third-party contractors; parental requests for products and services, etc. The guidance refers to a website, online service, online application, mobile application, or connected devices directed at minors. <\/p>\n\n\n\n
AI and web scraping<\/h4>\n\n\n\n
More from supervisory authorities worldwide<\/h4>\n\n\n\n