Data Protection Weekly 12/2022

Mar 24, 2022

European Union

EDPB adopts guidelines on Article 60 GDPR, guidelines on dark patterns and a toolbox

The EDPB announced, on 15 March 2022, that it had adopted guidelines on article 60 of the GDPR, guidelines on dark patterns in social media platform interfaces, a toolbox on essential data protection safeguards for enforcement cooperation  between the European Economic Area and third country supervisory authorities.
The article 60 guidelines provide a detailed description of the GDPR cooperation between the supervisory authorities . It aims to increase consistent application of the legal provisions relating to the one-stop-shop mechanism.

The dark patterns guidelines offer practical recommendations to designers and users on how to assess and avoid dark patterns in social media platform interfaces that infringe GDPR requirements. It contains concrete examples of dark patter types and best practices for different use cases.

The toolbox covers key topics such as enforceable rights of data subjects, compliance with data protection principles and judicial redress.

You can read the press release here.


EDPB-EDPS adopt joint opinion on extension of Digital COVID Certificate regulation

You can read the press release here and the joint opinion here


National Authorities

Ireland : ICCL initiates legal action against DPC for failing to investigate Google

The Irish Council for Civil Liberties  announced, on 15 March 2022, that it is taking legal action against the DPC for allegedly failing to properly investigate Google.

The High Court of Ireland, on 14 March 2022, granted leave for ICCL to take legal action against the DPC for inaction.

According to the ICCL, Google’s real time bidding cand broadcast private information of individuals to other tracking companies, action that infringe the GDPR principles.

According to the ICCL, the DPC received on 12 September 2018, a complaint regarding Google’sRTB data breach but did not investigate and act on the complaint under the GDPR.

As Google’s EU operation is based in Ireland, the DPC has the lead responsability to oversee its compliance to the european data protection law.

You can read the press release here. You can read the press release here and the joint opinion here.


Spain : AEPD publishes guidance on smart contracts

The AEPD published, on 14 March 2022, guidance on smart contracts in blockchain and personal data. According to the guidance, smart contracts are algorithms that run without human intervention on a blockchain. They can have a significant impact on natural persons or elaborate profiles and as such,  should respect the requirements under Article 22 of the GDPR.

.Alongside to the obligations under Article 22 of the GDPR, the guidance notes that the following safeguards may also be necessary when using smart contracts:

  • Security and management measures
  • Notification and communication of personal data breaches based on the risk to the rights and freedoms of the interested parties.
  • data protection policies;
  • Minimum of exercise of rights and protection measures by design and by default.

You can read the guidance, only available in Spanish, here.


France : CNIL publishes a guide dedicated to DPOs

The CNIL published on 15 March 2022, a guide dedicated to Data Protection Officers.

AFCDP has played an active advisory role with the CNIL for its creation.

The guide provides essential and precise information about the DPO.  It provide clear information on how to ensure the independance of the DPO in its tasks to improve its efficiency and without any conflict of interest.

According to the guide, there is no typical profile for a DPO : according to a study on DPOs carried out by AFPA,  around 28% of DPOs have an IT profile, and the same percentage a legal
profile, the remaining 43% coming from administration, finance, compliance, audit, etc.

The Guide is organised into four parts :

  1. The role of the DPO ;
  2. Appointing a DPO ;
  3. Performing the function of DPO ;
  4. CNIL’s support for DPOs

Each topic is illustrated by concrete examples and answers to FAQs on the subject.

You can read the guide here.


Ireland : DPC fines Meta €17M for failure to implement technical and organisational security measures and lack of accountability

The DPC announced, on 15 March 2022, that it had adopted a decision in which it imposed a fine of €17 million on Meta Platforms Ireland Limited for violations of Articles 5(2) and 24(1) of the GDPR, following an inquiry into a series of 12 data breach notifications it received between June 2018 and December 2018.

By its inquiry, the DPC examined the extent to which Meta complied with the articles 5(1),24(1) and 32(1) of the GDPR in relation to the processing of personal data relevant to the 12 breach notifications.

As the processing under examination was cross-border, the DPC’s decision was subject to the co decision-making process outlined in article 60 of the GDPR. For the DPC, Meta did not have in place appropriate technical and organisational measures nor demonstrate the implementation of security measures to protect EU users’data, in the context of the 12 personal data breaches, in violation of Articles 5(2) and 24 (1) of the GDPR.
In view of the above findings, the DPC imposed a fine of €17M on Meta.

You can read the press release here.