Data Protection Weekly 1/2024

Jan 8, 2024


CEDPO’s upcoming webinar on the global approaches to AI regulation

The Confederation of European Data Protection Organisations (CEDPO) is hosting an online webinar titled “One Technology, Many Perspectives: Global Approaches to AI Regulation”. Scheduled for 18 January 2024, this event will explore the varying global perspectives on AI regulation, focusing particularly on the impact to data protection. Experts from the US, the UK, and the EU, including Chris Eastham, John Ghose, and Dr. Maria Moloney, will discuss the diverse legal frameworks governing AI. They aim to address the vital question: what constitutes optimal AI regulation? With a format accessible via Zoom, this webinar promises to offer invaluable insights into the complex world of AI regulation and its impact on data protection. The webinar will be recorded for those unable to attend live. You can read more about it here and register here. 

 European Union

EDPS: Registration Open for CPDP – Data Protection Day 2024

The Council of Europe (CoE), CPDP, and the European Data Protection Supervisor (EDPS) invite registrations for the CPDP – Data Protection Day. Scheduled for 25th January 2024, this event will take place at “Les Halles de Schaerbeek” in Brussels, Belgium. This one-day conference will feature keynote speeches and panel discussions focused on safeguarding individuals’ rights to privacy and data protection. Key themes include Global data flows, Digital Governance, Regulating AI, and Harmonising of GDPR procedures. The event promises to address the latest developments and challenges in the data protection world. Participants are encouraged to join in person for this crucial gathering in the field of data protection. Registration and further event details are available here.

National Authorities

ICO responds to concerns on facial recognition

The UK data protection authority (ICO) recently addressed parliamentary inquiries about facial recognition technology. Recognising its benefits in crime prevention and detection, the ICO stressed the importance of carefully handling the vast amounts of sensitive personal data on which this technology relies. The ICO underlined that the deployment of such technology must adhere to stringent legal standards, ensuring necessity, proportionality, fairness, and accuracy in its use. Highlighting their proactive approach, the ICO referred to a significant action taken against Clearview, involving a £7.5 million fine, which continues to be pursued through the courts. This stance underscores the ICO’s commitment to mitigating the risks and unlawful uses of facial recognition technology. The ICO plans to review the parliamentarians’ letter thoroughly to address their specific concerns, reinforcing their willingness to engage in meaningful dialogue on this critical subject. You can read the full statement here.

Spain: AEPD unveils innovative age verification system

On December 14, 2023, the Spanish data protection authority (AEPD) unveiled an advanced age verification system aimed at safeguarding minors from accessing adult content online. The system, introduced during the AEPD’s 30th-anniversary event, emphasises protecting minors while ensuring adult anonymity during internet browsing. This novel approach involves treating the age attribute on the user’s device without revealing the individual’s identity or minor status to websites. The system comprises a Decalogue outlining principles for age verification, a technical note detailing the project, and practical videos demonstrating its functionality across various devices and identity providers. This initiative aligns with the General Law of Audiovisual Communication, mandating video-sharing platforms to implement age verification systems. The National Commission on Markets and Competition (CNMC) will assess the system’s suitability, with the AEPD providing a mandatory report based on the Decalogue criteria. This development represents a significant stride towards a digitally advanced society that prioritises child protection and data privacy. You can read the press release here (in Spanish).

Netherlands: AP unveils 2024 strategy for data protection

The Dutch data protection authority (AP), has outlined its strategic focus for 2024, emphasising the protection of citizens in an increasingly digital world. Recognising the escalating risks associated with the expansive use of algorithms and artificial intelligence (AI), the AP aims to safeguard fundamental rights like privacy and non-discrimination. With limited resources and an expanding oversight field, the AP plans to target the most significant threats to individuals and society, upholding public interests such as equality, personal autonomy, and the accountability of power. The AP’s 2024 agenda will specifically highlight five key areas: Algorithms & AI, Big Tech, Freedom & Security, Data Trade, and Digital Government. These themes will be addressed alongside their regular responsibilities, including education, research, sanctions, legislative review, and handling complaints and data breaches. The detailed action plan for these themes is available in the AP’s 2024 annual plan. You can read the press release here and the annual plan here (both in Dutch).


OpenAI lists Irish subsidiary as data controller for users in EEA

OpenAI has revised its Privacy Policy and Terms of Use, effective 15 February 2024, to enhance clarity and transparency for users in the European Economic Area (EEA), Switzerland, and the UK. A significant update includes the appointment of OpenAI Ireland Limited as the data controller for these regions, ensuring compliance with local data protection regulations. The Privacy Policy now provides detailed information about the personal data collected, such as during participation in OpenAI events or surveys. Additionally, for ChatGPT Enterprise and business accounts, it clarifies administrators’ access and control over associated accounts. The Terms of Use have been updated to better define service commitments and segregate commercial terms. These changes are designed to make understanding and navigating user rights and OpenAI’s obligations simpler. You can read the updated Privacy Policy here and Terms of Use here.

Google introduces Tracking Protection: a key move in phasing out third-party cookies in Chrome

Google is testing a new feature in Chrome, named “Tracking Protection,” to enhance user privacy by limiting cross-site tracking. Starting January 4, the test will initially impact 1% of Chrome users worldwide, marking a key phase in the Privacy Sandbox initiative to eliminate third-party cookies by the second half of 2024. This step is subject to the UK’s Competition and Markets Authority’s review. Tracking Protection aims to restrict third-party cookie access, addressing privacy concerns while maintaining web functionality. Users selected for this feature will receive notifications in Chrome on desktop or Android. You can read the full article here.


Belgium: APD upheld the right to be deleted from the baptismal register

In a landmark decision, the Belgian data protection authority (APD) has ordered the Diocese of Ghent to comply with a request from an individual seeking removal from the baptismal register. This ruling challenges the Catholic Church’s practice of recording baptisms for fraud prevention and historical record. The APD acknowledged the church’s legitimate interest but noted it does not override an individual’s express desire to leave the church and erase their baptismal data. The case arose when the church, instead of deleting, annotated the individual’s departure in the margin of the baptismal register. The APD ruled this practice illegal, citing the General Data Protection Regulation (GDPR), which allows data erasure under specific conditions. This case underscores the GDPR’s scope and the complex balance between institutional data retention and individual rights to data erasure. The decision can be appealed within 30 days. This ruling is part of several ongoing cases regarding data protection in the process of ‘debaptism.’ You can read the press release here.

Poland: UODO fines Minister of Health for personal data breach

The Polish data protection authority (UODO) imposed a 100,000 PLN (approx. €23,000) fine on the Health Minister for disclosing health-related data. This incident involved the Minister accessing and publishing a doctor’s health information on social media, violating data protection laws. UODO’s decision reflects the maximum penalty for public sector entities, noting that the fine could have been higher without statutory limits. The Minister, as data controller, failed to comply with GDPR and national regulations. The case highlighted the use of WhatsApp for transmitting sensitive data, criticised for its security flaws and non-compliance in public administration communication. The Minister’s insufficient data protection measures, inadequate notification to the affected individual, and lack of corrective actions post-incident were key factors in the ruling. UODO found no mitigating circumstances to justify reducing the fine. You can read the press release here and the full decision here (both in Polish).

France: CNIL issues six new sanctions under its simplified procedure

In recent enforcement actions, the French data protection authority (CNIL) utilised its simplified procedure to issue six new sanctions, totalling €44,000. This approach, applied since November 2023, addresses a range of data protection violations. Significant breaches include inadequate data security measures, excessive data collection during employment recruitment, and disregard for individual rights in contexts like medical data access and political email solicitation. A notable instance involved a health professional penalised for failing to provide access to a child’s medical records, a serious breach of both individual rights and data protection principles. In another case, a company faced a fine for collecting irrelevant personal information from job applicants, highlighting the need for data collection to be directly linked to the job’s requirements. Additionally, a political candidate was fined for not respecting an individual’s request to stop receiving political emails. These actions by the CNIL, under its streamlined sanction procedure, underscore the increasing scrutiny and enforcement in data protection across sectors. You can read the press release here (in French).

Netherlands: AP intervenes to correct Dutch Police’s SIS Data Mismanagement

In response to the Dutch National Police’s improper handling of data in the Schengen Information System (SIS), the Dutch data protection authority (AP) of the Netherlands played a crucial role in enforcing compliance and rectifying violations. The AP’s investigation revealed significant lapses in the quality of alerts and the duration of their retention, resulting in incorrect or incomplete personal data within the SIS. Highlighting the serious implications of such errors, AP Director Katja Mur stressed the heightened responsibility of SIS users, given the potential for unjust border refusals or unwarranted arrests. The AP’s threat to impose incremental penalty payments prompted the National Police to implement necessary reforms. This coordinated action, part of a wider European inspection, underscores the AP’s commitment to ensuring that authorities maintain the integrity of personal data in European information systems. This case also signals the increasing importance of vigilant oversight as new information systems emerge and existing ones interconnect, amplifying privacy risks alongside security enhancements. You can read the press release here (in Dutch).