Data Protection Weekly 10/2023

Mar 9, 2023

 European Union

European Commission: WhatsApp agrees to comply fully with EU rules, informing users better and respecting their choices on contract updates

Following on from dialogue with the EU/EAA consumer protection authorities (CPC Network)  and the European Commission, WhatsApp has committed to being more transparent on changes to its terms of service. Moreover, the company will make it easier for users to reject updates when they disagree with them, and will clearly explain when such rejection leads the user to no longer be able to use WhatsApp’s services. See Commission press release here.

European Parliament: MEPs back plans for an EU-wide digital wallet

The Industry, Research and Energy Committee adopted its position on the proposed update of the European digital identity framework (eID) by 55 votes to 8, with 2 abstentions. The new eID would allow citizens to identify and authenticate themselves online (via a European digital identity wallet) without having to resort to commercial providers, as is the case today – a practice that raised trust, security and privacy concerns. It would also give users full control of their data and let them decide what information to share and with whom. The press release can be read here.

National Authorities

Ireland: Data Protection Commission publishes 2022 Annual Report

Commissioner for Data Protection, Helen Dixon, this week released the Irish Data Protection Commission’s Annual Report for 2022. The DPC concluded 17 Large-Scale inquiries, with administrative fines in excess of €1billion and multiple reprimands and compliance orders imposed.  Helen Dixon, commented: “Two-thirds of the fines issued across Europe last year, including the EU, EEA and UK, were issued by the DPC on foot of detailed and comprehensive investigations.” For the press release and report read here.

Czech Republic: DPA publishes FAQ on cookie Bars and Consent

The Office for Personal Data Protection (UOOU) published this week an FAQs on cookie bars and consent. The UOOU noted that cookies usually constitute personal data processing, and the need to clearly define their purpose to correctly determine the legal reason for processing them. Moreover, the UOOU highlighted the importance to distinguish between ‘technical cookies’ which are necessary for the website’s own operation, and ‘non-technical cookies’ which are used for monitoring website traffic and analysis for marketing purposes. For the full article (in Czech) please read here.

Lithuania: The DPA publishes guidelines onor employees and employers on the protection of personal data in the context of employment relations

The national State Data Protection Inspectorate published three guidelines, one for employees in the context of employment relations (‘the employee guide’), another for businesses in the context of employment relations (‘the business guide’), and a final guide for the public sector in the context of employment relations (‘the public sector guide’). The press release and three documents (in Lithuanian) can be read here.

Germany: The Bavarian State Office for Data Protection Supervision invites for registration to the 7th German-American Data Protection Day

In cooperation with the US Consulate General in Munich and the Bavarian State Office for Data Protection Supervision, the VBW (a Bavarian umbrella organisation for industry groups) has regularly organised a German-American Data Protection Day since 2012. This year, the focus is on the new Trans-Atlantic Data Privacy Framework as the legal basis for transatlantic data transfers between the EU and the US. We will discuss the contents of the agreement and the prospects of a judicial review by the ECJ with high-ranking representatives from politics, authorities, and business.

The contributions will be partly in English. Simultaneous translation will be provided.

The event will take place in person and will also be streamed online. Please choose your mode of participation during the registration process. The press release (in German) can be read here.


UK: Data Protection and Digital Information Bill introduced in Parliament

This week, Technology Secretary Michelle Donelan introduced the Data Protection and Digital Information Bill. The new amended UK version of the EU’s GDPR is being described as a concerted effort that will reduce costs and burdens for British businesses and charities, remove barriers to international trade and cut the number of repetitive data collection pop-ups online. It is claimed – by the UK government – that the proposed (‘strengthened’) bill will save the UK economy more than £4 billion over next 10 years and ensure that privacy and data protection are securely protected. The government’s press release can be read here. 

Facebook faces May D-Day for European blackout

Meta is facing a major legal decision within months that could see the shutters come down on its Facebook service in Europe. According to POLITICO, Helen Dixon of the Irish DPA said he was likely it issue a final verdict on Facebook’s last legal recourse for sending personal data to the U.S. before the EU and U.S. can strike a deal and roll out a new data transfer agreement. A draft decision issued last year is now pending approval by fellow EU regulators and could be finalized by mid-May. The full article can be read here.

Tech platforms struggle to verify their users’ age

Social media and streaming platforms are trying to figure out the best ways to verify a user’s age as parents and lawmakers grow increasingly concerned about the way children and teenagers use online services. This article published by Axios look at why it matters for these companies, existing and new potential laws are pushing platforms to look for solutions with varying degrees of success. You can read the article here. 

ChatGPT broke the EU plan to regulate AI

Europe’s original plan to bring AI under control is being tested by technology’s new, shiny chatbot power application. As reported in POLITICO, the tech has prompted EU institutions to rewrite their draft plans, both the Council and European Parliament are having to review their positions on the AI Act. The European Commission, Council of the EU and Parliament will start to smooth the path for a final AI Act via the all crucial trilogue negotiations, expected to start in April at the earliest. ChatGPT could well cause those negotiations a load of head scratching, as the three parties work out a common solution to the shiny new technology on offer. Read the article here.


Hungary: HU DPA fines websites of TV2 Média Csoport Zrt. in connection with legal compliance of cookie consent management

Due to violations of the GDPR case in connection with a cookie consent management system, the Hungarian data protection supervisory authority has imposed a compliance order and a fine equivalent to approximately 25,000 Euros on an indigenous media company. Read decision here.