Based on the official statistics, during 2024, the CAC interviewed 11,159 website platforms, imposed warnings or fines on 4,046 website platforms, ordered 585 websites to suspend or update relevant functions, took down 200 Apps and took administrative actions on 40 mini-programs. The CAC also conducted joint enforcement actions together with the Ministry of Industry and Information Technology and revoked the licenses or shut down 10,946 websites and closed 107,802 accounts.

The following violations are of particular concern to these enforcement activities:

• Failure to maintain relevant network logs as required by law or to promptly address security risks (such as system vulnerabilities), resulting in illegal and regulatory issues such as system attacks, tampering, and data leaks;
  
• Failure to clearly display privacy notices in Apps, obtain necessary consent to process personal data, or provide convenient methods to opt out or de-register accounts;
  
• Failure to conduct required recordal or filing for AI models or features built into Apps or mini-apps; and
  
• Unreasonably requiring consumers to scan QR codes or perform facial recognition that is not necessary to provide the underlying services.

Around the same time, the National Computer Virus Emergency Response Center, which is an institution responsible for detecting and handling computer virus outbreaks and cyber attacks under the supervision of the Ministry of Public Security, published a list Apps that violated the personal data protection laws in the following areas:

• Failure to provide data subjects with all the required information about the processing (e.g. name and contact details of the controller, categories of personal data processed, purposes of the processing, retention period, etc.) in a prominent place and in clear and understandable language; in particular, failure to provide such information about any third party SDK or plugin is also considered a breach of the law;
  
• Failure to provide data subjects with the required details about any separate controller (e.g. name, contact information, categories of personal data processed, processing purposes, etc.) or to obtain the separate consent of data subjects before sharing their personal data with the separate controller;
• Failure to obtain the separate consent of data subjects before processing their sensitive personal data;
  
• Failure to provide users with the App functions to delete personal data or de-register accounts, or to complete the deletion or deregistration within 15 business days; or setting unreasonable conditions for users to de-register accounts;
  
• Failure to formulate special rules for processing the personal data of minors (under the age of 14) or to obtain parental consent before processing the personal data of minors; and
  
• Failure to take appropriate encryption, de-identification and other security measures, taking into account the nature of the processing and its impact on the rights and interests of data subjects.

The above enforcement focuses are also consistent with the audit points highlighted in the newly released personal data protection audit rules (see our article here). We expect the same enforcement trend to continue into 2025. Companies that process personal data in China or in connection with business in China are advised to review their compliance status with the requirements of Chinese law and take remedial action in a timely manner.

Between 10 January and 3 March 2023, SkyBet’s website dropped third-party AdTech cookies to visitors’ browsers before visitors could accept or reject them via a cookie banner. As a result, the visitors’ personal data (e.g., device information and unique identifiers) was shared automatically with third-party AdTech companies without visitors’ consent or a lawful basis. The cookies were deployed to allow advertising to be placed on other websites viewed by the visitor.

Whilst the ICO found no evidence of deliberate misuse of personal data to target vulnerable gamblers, it reprimanded SkyBet because it processed personal data in a way that was not lawful, transparent or fair.

This reprimand forms part of the ICO’s wider strategy to ensure that individuals’ rights and freedoms are respected. The ICO has recently reviewed the UK’s most-visited 100 websites and contacted more than half to warn of enforcement action. Many are reported to have implemented improvements, such as displaying a “reject all” button or presenting “accept all” and “reject all” options on an equal footing.

The ICO intends to assess the next 100 most-frequented websites and urges all organisations to assess their cookie banners to ensure freely given consent may be given. The ICO also intends to publish guidance on cookies and tracking technology before the end of the year.

DLA Piper advises all businesses on cookie compliance and is currently engaged by several businesses operating in the AdTech ecosystem, on assessing risk exposure and responding to ICO engagement. Should you wish to discuss this further, please reach out to your regular DLA Piper contact, or the authors of this blog.

The provision setting out significantly higher financial penalties for Singapore’s Personal Data Protection Act 2012 (“PDPA”) is now in force.

There is now an increased risk for organisations contravening the PDPA in Singapore.

This means that in relation to any intentional or negligent contravention of:

1. the data protection provisions, organisations may now have to pay a financial penalty of up to SGD 1 million or 10% of the organisation’s annual turnover in Singapore (where the organisation’s annual turnover in Singapore exceeds SGD 10 million), whichever is higher;
2. the do-not-call provisions involving the use of dictionary attacks and address-harvesting software:
   • individuals may now have to pay a financial penalty of up to SGD 200,000; and
   • organisations, a financial penalty of up to SGD 1 million or 5% of the organisation’s annual turnover in Singapore (where the organisation’s annual turnover in Singapore exceeds SGD 20 million).

To recap, when the Personal Data Protection Commission is deciding whether a financial penalty is warranted, they will, among other things:

1. assess the incident based on the principles of harm and culpability:
   • “Harm” includes the number of affected individuals, categories of affected personal data, duration of the incident etc.;
   • “Culpability” refers to the organisation’s conduct in the incident. The PDPC will consider the nature of the specific breach of the PDPA as well as the organisation’s overall compliance with the PDPA; and
2. consider other relevant factors such as whether the organisation or person took any action to mitigate the effects and consequences of the non-compliance.

Key takeaways

Given the higher financial penalties, organisations must:

• review their policies and practices for compliance with new provision;
• update employees about the increased penalties and the accompanying increased risk for the organisation.

You may access the revised financial penalties here, and the Advisory Guidelines on Enforcement of the Data Protection Provisions here.

You may access our previous alert regarding the increased financial penalties here.

Please contact Carolyn Bigg (Partner) or Yue Lin Lee (Senior Associate) if you have any questions or to see what this means for your organisation.

DLA Piper Singapore Pte. Ltd. is licensed to operate as a foreign law practice in Singapore. Where advice on Singapore law is required, we will refer the matter to and work with licensed Singapore law practices where necessary.

It was expected that the court would provide some clarification on whether “purely commercial interests” can qualify as legitimate interests within the meaning of Article 6(1)(f) GDPR with a potential to refer preliminary questions to the ECHR for clarification. Unfortunately, privacy professionals across Europe have been left empty handed. The court found that the controller had other legitimate interests which were not exclusively commercial that could be relied on. Hence, there was no need to consider the question of whether “purely commercial interests” could be a legitimate interest.

Background to the case

The appeal concerned a fine of EUR 575,000 issued by the Dutch Data Protection Authority ( the “Dutch Authority“) to VoetbalTV for unlawful processing. VoetbalTV is a video platform for amateur football. The company streams or records videos of matches on behalf of clubs and processes the personal data of (young) amateur footballers.

In its decision of July 2020, the Dutch Authority concluded that VoetbalTV’s processing of amateaur football’s personal data did not comply with Article 6(1)(f) GDPR since a legitimate interest could not be purely commercial in nature. In the Dutch Authority’s view, a legitimate interest cannot be broadly interpreted and should follow from the law.

VoetbalTV appealed the Dutch Authority’s decision and a lower Dutch court, ruled in favor of VoetbalTV in November 2020. The lower Dutch court confirmed that in its view, the Dutch Authority had applied the test for legitimate interest too narrowly. Yesterday’s case concerned the Dutch Authority’s appeal of this judgment.

The question of ‘purely commercial interests’

The judgment of the Dutch administrative court was of significant interest not just to Dutch domiciled companies but also controllers across Europe, because the first step of the (well-established) legitimate interests assessment[1] has not yet been considered from this angle.

The issue raised in this case was of such importance that the EU Commission recently published an open letter to the Dutch Authority setting out why in its view the Dutch Authority’s strict interpretation of Article 6(1)(f) was not inline with the GDPR, guidelines of regulators and the case of the CJEU.

Unfortunately, the Dutch administrative court was handed a ‘free pass’ in the form of additional legitimate interests raised by VoetbalTV which were not exclusively commercial in nature. Such interests were:

1. the increase in the involvement and enjoyment of soccer fans
2. the ability to perform technical analyses;
3. offering friends and family members the opportunity to watch matches from a distance; and
4. contributing to a higher level of privacy protection by preventing the recording of matches via other channels.

Therefore, the Dutch administrative court concluded in favor of VoetbalTV. It established that, with regard to the other interests stated by VoetbalTV there was now no question of a “purely commercial interest”. For this reason, the court was held that it did not have to answer the question and preliminary questions will not be referred to the CJEU.

What does this mean for those relying on commercial legitimate interests?

This much awaited ruling comes as somewhat of a disappointment, as it was hoped that it would bring some clarity on whether a purely commercial interest can be a “legitimate interest” for the purposes of Article 6(1)(f) GDPR.

Early alleged comments from the Dutch Authority imply that they still see the processing activities of VoetbalTV as unlawful, however, at the time of writing there has been no official commentary regarding the future of the Dutch Authority’s interpretation of “legitimate interests”.

In our view, controllers should note the open letter of the EU Commission in which the Commission highlighted that it was difficult to reconcile this strict interpretation with the intended effect of EU legislators. What is perhaps more significant is that the EU Commission reminded the Dutch Authority that just because a purely commercial interests is legitimate does not mean directly the controller can immediately rely on it – the second and third leg of the three-part legitimate interests test must apply.

Therefore, whilst controllers that relying legitimate interests as a lawful basis for processing should be continue to be clear and transparent about those interests, extra care should be taken to document the Legitimate Interests Assessment where those interests could be considered ‘commercial’.

For any questions relating to this decision or assistance with assessing legitimate interests, please contact Richard van Schaik, Partner or Francesca Pole, Associate – Data Protection – IPT Department DLA Piper Netherlands.

[1] Set out in Fashion ID No.C-40/17, ECLI:EU:C:2019:629