Data Protection Weekly 11/2023

Mar 16, 2023

 European Union

EDPB: Launch of coordinated enforcement on role of data protection officers

This week, the European Data Protection Board has kicked off its 2023 coordinated enforcement Framework (CEF) action. Throughout the year, 26 DPAs across the EU/EEA (including EDPS) will take part in the CEF 2023 on the designation and position of data protection officers (DPOs).

To gauge whether DPOs have the position in their organisations required by Art. 37-39 GDPR and the resources needed to carry out their tasks, participating DPAs will implement the CEF at national level in a number of ways:

  • DPOs will be sent questionnaires to aid fact-finding exercise or questionnaires to identify if a formal investigation is warranted;
  • commencement of formal investigations by DPAs;
  • DPA follow-up of ongoing formal investigations.

The EDPB press release which includes links to nationals DPA announcements can be read here.

ENISA: Cybersecurity of AI and Standardisation

The European Union Agency for Cybersecurity has published an overview of standards related to the cybersecurity of artificial intelligence which helps identify and assess gaps in standards. The report also examines how standardisation can support the implementation of the cybersecurity aspects embedded in the proposed EU AI Act regulation. The report can be downloaded here.

European Parliament: Data Act – MEPs back new rules for fair access to and use of industrial data

The draft Data Act which was adopted on Tuesday 14 March, is seen as key to contributing to the development of new services, in particular in the field of artificial intelligence where huge amounts of data are needed for algorithm training. “The Data Act will be an absolute game changer providing access to an almost infinite amount of high-quality industrial data. Competitiveness and innovation are part of its DNA,” said lead MEP Pilar del Castillo (EPP, ES).  The text was adopted with 500 votes to 23, with 110 abstentions. MEPs are now ready to enter into negotiations with the Council on the final shape of the law. The European Parliament press release can be read here.

National Authorities

Belgium: Complaint concerning the transfer of letters containing personal data from the King’s Office to the Government of the German Speaking Community

The Belgian data protection supervisory authority has requested that the office of the King of Belgium improve the application of its data protection policies and approach with respect to citizens’ requests and correspondence, as well as provide more transparent information on the forwarding of complaints. However, since the King’s cabinet enjoys a healthy level of immunity, the authority could not impose sanctions. Read decision (in French) here.

CNIL: Priority investigation topics for 2023 are the use of “augmented” cameras, mobile applications, bank files and patient records

While the CNIL carries out regular checks on the basis of complaints received and contemporary events, they also determine a number of annual priority areas of focus for the year. In 2023, the CNIL has elected to focus on the use of “augmented” cameras by public actors, the use and processing of the personal credit incident files, the management of health records, and mobile applications. A recent press release (in French) can be read here.

Germany: BayLDA participates in second joint review action of the European data protection supervisory authorities

The Bavarian State Office for Data Protection Supervision (BayLDA) is participating in the second Europe-wide review action of the European data protection supervisory authorities which started this week. Coordinated by the European Data Protection Board, the review action is dedicated to the position and tasks of data protection officers.

[…] Michael Will, President of the BayLDA, explains the goal of the joint Europe-wide audit: “For the BayLDA, data protection officers have always been more than just the first point of contact inside the supervisory authority. They are the guarantors of data protection in everyday life, especially for small and medium-sized enterprises. Day after day, they make a key contribution to the success of data protection-compliant digitalisation. […] The joint audit action forms the framework for a precise analysis of the current conditions for action in business practice and the exchange of data protection authorities on possible improvements or even remedial measures. Read press release (in German) here.

Germany: Press release of the Federal Commissioner for Data Protection and Freedom of Information

The Federal Commissioner for Data Protection and Freedom of Information (BfDI), Professor Ulrich Kelber, handed over his annual activity report for the year 2022 to the President of the German Bundestag on Wednesday.

The BfDI chaired the Conference of Independent Data Protection Supervisors (DSK) in the year under review and sees room for improvement in many laws and projects: “There is still too much focus on looking at how data protection can adapt to projects instead of looking for legally compliant solutions right from the start.” Kelber stated.

In addition to health topics, such as the e-prescription, the electronic patient file, or the handling of research data, the BfDI dealth with matters such as the European digital rights acts, the Facebook fan page of the Federal Government. Last year, the BfDI received 10,658 reports of data protection violations and 491 submissions relating to the freedom of information law. Citizens submitted 6,619 complaints and enquiries to the Federal Data Protection Commissioner directly. Read the press release here.

Germany: Current Data Protection Report: Risk XXL on the Horizon

Dr. h. c. Marit Hansen, the Schleswig-Holstein State Commissioner for Data Protection and Freedom of Information, has presented the annual activity report for the year 2022. The report provides an overview of the diverse data protection and freedom of information issues that Hansen and her staff at the Independent Centre for Data Protection (ULD) dealt with last year. Unfortunately, the daily business also includes numerous data breaches that should have been avoided – even in the sensitive health sector.

The ULD’s topics range from anonymisation, employee data protection, from COVID19 … to certification. At the top of the complaints hit list: Video surveillance with 188 complaint cases and 61 requests for advice in 2022. You can read the report (in German) here.

Germany: Claims for damages due to scraping are often rejected

After numerous rulings in recent weeks, a trend is emerging, where claims for compensation for non-material damages under Art. 82 GDPR due to scraping incidents at Facebook are predominantly being rejected. Initially, it was unclear how the courts would evaluate the claims.

However, the current rulings in the resulting mass actions for damages are likely to be sobering for the plaintiffs. Some courts have already denied a violation of the GDPR, many others have concluded that the plaintiffs have not sufficiently demonstrated their damage. Most of the proceedings that are known so far have ended with a dismissal of the claim. See court decisions such as the  Hamburg Regional Court, judgment of March 1, 2023, Case No. 316 O 188/22 (GRUR-RS 2023, 3283): No compensation for personal damages under Art. 82 GDPR due to scraping at Facebook. A data protection violation as such is not sufficient. Concrete damage is required, and the Osnabrück Regional Court, judgment of March 3, 2023, Case No. 11 O 834/22 (GRUR-RS 2023, 3281): No claim for damages for personal injury under Art. 82 GDPR due to scraping on Facebook. Regardless of any violation of the GDPR, there is no immaterial damage.

ICO: Guidance on AI and data protection

The ICO guidance on AI and Data Protection has been updated after requests from UK industry to clarify requirements for fairness in AI. It also delivers on a key ICO25 commitment, which is to help organisations adopt new technologies while protecting people and vulnerable groups. More can be read on this up-date here.


Rishi Sunak hints at TikTok ban from UK government devices

The UK could follow the US and Canada in banning TikTok from government devices, with Sunak saying he will take “whatever steps are necessary” to protect Britain’s security. The British prime minister said the UK was “looking at what our allies are doing” in the wake of the decision by other countries to remove TikTok from government phones amid fears over the social video app’s links to China. The European Commission and European parliament have also banned TikTok from staff devices. Read the Guardian article here.

Amsterdam District Court finds that Facebook violated the privacy of Dutch Facebook users between 2010 and 2020.

Facebook has been found guilty of violating the privacy of Dutch users of its platform. This has been determined by an Amsterdam court in a case brought by the Consumers’ Association and the Data Privacy Foundation (DPS). The court ruled that Facebook did not adequately inform Dutch users about what the platform does with their data; think personalised advertising. Furthermore, the court found that in the absence of consent, Facebook did not have sufficient legal basis for such data processing. The full story (in Dutch) can be read here. The Court press release (in Dutch) here.

Biden administration’s cloud security problem: ‘it could take down the internet like a stack of dominos’

The Biden administration is embarking on the nation’s first comprehensive plan to regulate the security practices of cloud providers. […] The White House worries that the cloud is becoming a huge security vulnerability. So it’s embarking on the nation’s first comprehensive plan to regulate the security practices of cloud providers like Amazon, Microsoft, Google and Oracle, whose servers provide data storage and computing power for customers […]. Read the POLITICO article here.

WhatsApp: Rather be blocked in UK than weaken security

WhatsApp says it would rather be blocked in the UK than undermine its encrypted-messaging system, if required to do so under the Online Safety Bill. Its head, Will Cathcart, said it would refuse to comply if asked to weaken the privacy of encrypted messages. This follows a similar message from another messaging app Signal, which previously said it could stop providing services in the UK if the bill required it to scan messages. Read the BBC article here.

OECD: Emerging privacy-enhancing technologies Report

The OECD Directorate for Science, Technology and Innovation (STI) has published a report that examines privacy-enhancing technologies (PETs). The report reviews recent technological advancements and evaluates the effectiveness of different types of PETs, as well as the challenges and opportunities they present. You can read more and access the report here.

Leading MEP enraged by Swedish presidency’s neglect of ePrivacy Regulation

The European Parliament’s rapporteur Birgit Sippel has sent a letter, seen by EURACTIV, to the Swedish ambassador, asking the EU Council presidency holders to accelerate work on a file that seems to be off their priority list. The ePrivacy Regulation, once meant to be put in place together with the GDPR, has been stuck in a political stalemate for almost six years, first between national governments in the EU Council of ministers and now in the interinstitutional negotiations, so-called trilogues. You can read the full EURACTIV article here.


Germany: Court fines company €10,000 in damages for breach of the right to information under the GDPR

In its February 2023 ruling, the Oldenburg Labour Court ordered a company to pay a former employee non-material damages of 10,000 euros under Article 82 of the GDPR for failing to comply with a right to information under Article 15(1) of the GDPR (made by the former employee). The violation of the GDPR itself already led to non-material damages to be compensated; a more detailed description of the damages was deemed not necessary by the court. Read summary (in German) here.

Romania: The DPA (ANSPDCP) fines political party €10,000 for multiple GDPR violations

The National Supervisory Authority for Personal Data Processing (ANSPDCP) imposed a fine of €10,000 on the Alliance for the Union of Romanians (‘A.U.R.’), a political party for violations of Articles 5(1)(2) of the GDPR following an investigation. This is the second time this year that a Romanian political party has been on the receiving end of a fine. The DPA press release in Romanian can be read here.