Monthly Update – December 2024
December 2024 closed out a busy year for privacy and tech compliance. Three developments stand out: important guidance on how GDPR applies to AI models, a significant fine against Netflix for transparency failures, and a court ruling that reframes what "making it right" can look like after a GDPR breach.
The EDPB Opinion on AI models: three things to know
What happened
The European Data Protection Board published Opinion 28/2024 on the processing of personal data in the context of AI models. The Opinion addresses three practical questions that matter for any company building or using AI.
First: "anonymous" AI models are not automatically outside the scope of GDPR. Just because a model does not directly output personal data does not mean it qualifies as anonymous. The EDPB takes a case-by-case approach: a model is only anonymous if the likelihood of extracting personal data from it, either directly or through queries, is insignificant. Controllers need to be able to demonstrate this.
Second: legitimate interest can be a valid legal basis for AI model development and deployment, but only if you carry out the required balancing test. You need to identify a specific, real interest, show the processing is necessary for that purpose, and demonstrate that it outweighs the rights of the individuals whose data was used.
Third: if an AI model was trained on unlawfully obtained personal data, that can affect the lawfulness of deploying it, unless the model has been properly anonymised. This is a significant point for companies that rely on third-party models or publicly scraped datasets.
What this means for you
If your business develops or uses AI models that involve personal data, this Opinion raises the bar for what you need to document and demonstrate. Claiming anonymity is not enough without evidence. Relying on legitimate interest requires a proper assessment, not a checkbox.
Do not be afraid to ask hard questions about the AI tools you use: where did the training data come from, and was it lawfully obtained? These are not just theoretical questions anymore.
The Netflix Case: transparency is not optional
What happened
The Dutch data protection authority fined Netflix €4.75 million for failing to meet transparency requirements under GDPR. The investigation, which covered the period between 2018 and 2020, found two main problems.
Netflix's privacy notice did not clearly explain how customer data was being processed, including the purposes and legal bases for processing, which third parties received the data, how long data was retained, and what safeguards applied to international transfers.
In addition, when customers exercised their right to access their data, Netflix did not provide enough information in response.
What this means for you
Transparency is one of the foundations of GDPR, and this case is a reminder that it applies to every layer of how you communicate with your users.
Your privacy notice should do two things well. It should be comprehensive: cover all your data processing activities, including the specific purposes for each category of data you collect. And it should be understandable: written in clear, plain language that a customer can actually follow, with formats that work for longer or more complex information.
If a customer asks about their data, your response needs to be genuinely informative. Pointing to a general privacy policy is not sufficient.
For practical guidance on keeping your privacy practices compliant, take a look at our post on 5 Quick Wins to Improve Your Privacy Practices.
The PTAC Case: apologising for a breach can make a difference
What happened
The Latvian consumer protection agency used an advertisement that featured a character imitating a journalist, without obtaining that person's consent. The courts found the processing unlawful and ordered the agency to stop, issue a public apology, and pay €100 in compensation.
When the case reached the Court of Justice of the European Union, it confirmed something important: under GDPR, an apology can constitute sufficient compensation for non-material damage, provided it fully makes up for the harm suffered by the data subject. Article 82 GDPR serves a compensatory purpose, not a punitive one. A controller's attitude or intentions do not factor into determining the amount of compensation.
What this means for you
An apology will not eliminate the risk of fines from a regulator, and it is no substitute for getting your data processing right in the first place. But this ruling does show that taking responsibility for a breach, promptly and genuinely, can influence how a situation unfolds.
If something goes wrong, how you respond matters. Acknowledging the issue and taking corrective action is not a sign of weakness; it is part of responsible data governance.
Want to make sure your business starts 2025 on the right foot? Book a free introductory call and we will take a look at where you stand.
We take great care in providing information to you, but please be aware of the fact that these blogposts can not be considered a substitute for professional legal advice, nor do they create an attorney-client relationship.