Data Protection Weekly 10/2024

Mar 18, 2024

 European Union

EDPS: European Commission’s use of Microsoft 365 infringes data protection law for EU institutions

The European Data Protection Supervisor (EDPS) has determined that the European Commission’s use of Microsoft 365 infringes several key data protection rules, necessitating corrective actions. The EDPS identified violations of Regulation (EU) 2018/1725, particularly regarding data transfers outside the EU/EEA, lacking appropriate safeguards for equivalent level of data protection. The Commission also failed to define the data types and purposes collected via Microsoft 365. Consequently, the EDPS mandates the suspension of data flows to Microsoft in non-EU/EEA regions lacking an adequacy decision by 9 December 2024 and requires compliance adjustments in the Commission’s data processing to align with EU regulations by the same deadline. These measures aim to remedy the identified prolonged and serious infringements and to ensure compliance with data protection rules, taking into account the public interest functions of the Commission. You can read the press release here.

CJEU: The supervisory authority of a Member State may order the erasure of unlawfully processed data even in the absence of a prior request by the data subject

The Court of Justice of the European Union (CJEU) ruled in case C-46/23 that a Member State may order the erasure of unlawfully processed data even in the absence of a prior request by the data subject. The case involved a Hungarian municipality that collected personal data to verify eligibility for COVID-19 financial aid but breached GDPR rules. The supervisory authority ordered the municipality to erase the data, but the municipality challenged this decision. The CJEU clarified that supervisory authorities have the power to order the erasure of unlawfully processed data, even without a prior request from the data subject. This applies to data obtained directly from the individual and data from other sources. The CJEU highlighted that such powers are essential for the effective enforcement of data protection laws, ensuring that entities cannot retain or misuse data unlawfully, regardless of whether the data subjects have filed a complaint. You can read the press release here and the full decision here.

European Parliament: MEPs adopt Artificial Intelligence Act

The European Parliament has passed the Artificial Intelligence Act, marking a significant milestone in regulating AI technologies to ensure they align with fundamental rights and foster innovation. Adopted with a strong majority, this legislation delineates clear boundaries for AI usage, particularly focusing on high-risk applications. The legislation explicitly bans certain AI applications that threaten citizens’ rights like predictive policing or social scoring. It imposes stringent requirements on high-risk AI systems, including comprehensive risk assessments, transparency, and human oversight, thereby ensuring safety in areas like healthcare, law enforcement, and education. The Act also addresses the deployment of general-purpose AI, mandating clear transparency requirements. The Act also encourages innovation, detailing support mechanisms like regulatory sandboxes for AI development. Following its parliamentary approval, the Act awaits formal Council endorsement, with phased applicability designed to facilitate a smooth transition to this new regulatory environment. You can read the press release here.

National Authorities

France: CNIL investigates France Travail data leak and gives recommendations to protect oneself

The French data protection authority (CNIL) is currently investigating a significant data breach at France Travail, previously known as Pôle emploi. The French governmental agency which registers unemployed people, reported a cyberattack possibly affecting 43 million individuals. The compromised data includes names, social security numbers, and contact details, albeit without passwords or bank data. In response, the CNIL has issued guidance for potential victims, urging vigilance against suspicious communications and advising never to disclose sensitive information impulsively. They recommend direct navigation to official websites, routine account monitoring, and consulting for further protective measures. Amid these precautionary recommendations, the CNIL is conducting an urgent investigation to assess whether France Travail’s pre and post-incident security protocols align with GDPR standards. This incident underscores the necessity of robust data protection protocols. You can read the press release here (in French).

Spain: AEPD discusses data processing security vs information system security in new blogpost

The Spanish data protection authority (AEPD) publishes a blogpost highlighting the crucial distinction between focusing solely on information systems security and adopting a broader perspective that encompasses data processing security under the GDPR. This nuanced approach mandates controllers to evaluate and mitigate risks related to data processing, ensuring the protection of personal rights and freedoms beyond mere system integrity. The AEPD criticises a narrow system-focused security mindset, advocating for comprehensive risk assessments and the implementation of robust safeguards within data processing activities. The AEPD uses access control breaches as a case study, illustrating that effective system operation does not negate a data breach under GDPR standards. It underscores the responsibility of data controllers to acknowledge and manage such breaches through diligent risk assessment and subsequent actions as mandated by GDPR Articles 33 and 34, thus reinforcing the imperative of processing-centric security to uphold individual rights and freedoms. You can read the full blogpost here (in Spanish).

France: CNIL publishes a guide for public affairs professionals

In an effort to facilitate GDPR compliance for public affairs professionals, the French data protection authority (CNIL) has collaborated with industry associations to produce a dedicated guide. This guide is the result of over two years of dialogue involving the French Association of Lobbying and Public Affairs Consultancies (AFCL), the Association of Public Affairs Professionals (APAP), the Association of Legal Advisors in Public Affairs (A-CAP), and the Public Relations Consultancy Union. It aims to provide public affairs professionals with a comprehensive understanding of their legal obligations under the GDPR, focusing on enhancing legal certainty and enabling effective personal data protection within their daily operations. The guide offers nuanced insights into data processing activities specific to their field such as stakeholder analysis, engagement planning, and professional networking management. The guide provides detailed advice on responsibilities, legal bases for data processing, sensitive data handling, information provision and data retention, ensuring that professionals are well equipped to protect personal data responsibly. You can read the press release here and the full guide here (both in French).

Sweden: IMY announces its annual action plan for 2024

The Swedish data protection authority (IMY) has announced its supervisory strategy for 2024, which emphasises a combined approach of complaint investigations, risk-based and pre-planned investigations. This strategic approach responds to the European Court of Justice’s directive for more in-depth investigations of individual complaints and the Supreme Administrative Court’s decision to allow individuals to challenge IMY decisions. Besides the scrutiny of complaints, IMY’s agenda includes initiating risk-based inspections independently, based on data breach notifications, tips or other relevant insights. Moreover, the authority plans to examine municipalities’ compliance to GDPR and assess the deployment of innovative technical solutions in camera surveillance, ensuring robust data protection standards are maintained across various operational frameworks. You can read the press release here and the full plan here (both in Swedish).

Poland: UODO may consider complaints against parliamentary committees

In a significant development, Mirosław Wróblewski, the President of the Polish data protection authority (UODO), has clarified that the GDPR applies to the activities of parliamentary committees of inquiry. This clarification follows an inquiry from Adam Szłapka, the Minister for EU Affairs, and references the CJEU’s ruling on 16 January 2024 (case C-33/22), which established that such committees’ activities do not pertain to national security and thus fall under EU law. Consequently, Wróblewski stated that Polish legislation aligns with this interpretation and does not require amendment. However, it necessitates that the GDPR be interpreted in a way that empowers the President of UODO to entertain complaints regarding personal data processing by these committees. You can read the press release here (in Polish).


Airbnb bans indoor security cameras

Airbnb has revised its policy on security cameras within its global listings to enhance privacy for its users. The new policy prohibits the use of indoor security cameras altogether and introduces stricter guidelines for outdoor cameras and other monitoring devices. Previously, indoor cameras in common areas were allowed if disclosed, visible, and outside private spaces such as bedrooms and bathrooms. Now, to foster greater clarity and trust, all indoor cameras are banned, impacting a minority of listings. The updated outdoor camera policy mandates disclosure of these devices’ presence and location prior to booking, forbidding their use in certain outdoor areas. Additionally, the use of noise decibel monitors is specified under the new guidelines, provided they only measure noise levels without recording. This policy change, effective 30 April, follows consultations with stakeholders and aims to bolster community confidence in Airbnb’s commitment to privacy. You can read the press release here.


France: CNIL imposes fifteen new sanctions under the simplified procedure since January 2024

Since January 2024, the French data protection authority (CNIL) has imposed fifteen new sanctions under its simplified procedure, with cumulative fines totalling €98,500. These actions underscore a significant increase in regulatory scrutiny, compared to twenty-four similar decisions throughout 2023. The main infringements concerned inadequate resources and support for DPOs, insufficient cooperation with the CNIL, security failures (notably in the implementation of TLS protocols and cipher suites), violations of individuals’ rights (in particular regarding data erasure, objection, and access to medical records), failure to provide information on political campaigning, and failure to comply with the processor’s obligations. The simplified procedure allows for swift resolutions in straightforward cases without the need for a public session, capping fines at €20,000 and maintaining confidentiality regarding the identities of the penalised entities. You can read the press release here (in French).

Norway: Grindr challenges The Norwegian Privacy Appeals Board ruling in court

Grindr is challenging the decision of the Norwegian Privacy Appeals Board (Personvernnemnda) which upheld a NOK 65 million (equivalent to €5,681,000) infringement fee for alleged data protection violations. The legal proceedings focus on Grindr’s argument against the Personvernnemnda’s ruling that it lacked valid consent when sharing user data with advertisers. The case, scrutinising Grindr’s data consent practices and the implications for user privacy, particularly regarding sexual orientation data, is being heard at the Oslo District Court from 12th to 14th March. Grindr maintains that its consent protocols were compliant and challenges the categorisation of the usage data of the app as indicative of sexual orientation, and argues that the fine is excessive. The government attorney represents the state in this pivotal legal challenge, with outcomes likely to impact data protection enforcement and business practices in the tech industry. You can read the press release here (in Norwegian).