Data Protection Weekly 11/2024

Mar 25, 2024

CEDPO

CEDPO becomes partner of the Privacy Symposium in Venice

CEDPO is an official partner of the Privacy Symposium 2024 conference in Venice from 10 to 14 of June, giving our members access to reduced registration fees (10% discount). The discount can be claimed on the Privacy Symposium registration page using a code that will be distributed by CEDPO national members. Nadia Arnaboldi of ASSO DPO and Vice President of CEDPO will represent CEDPO and participate in two sessions “The Future of DPO and Data Compliance Professionals” and “European and International DPO Federations Cooperation”. You can find the registration page here and more information about the event here.

 European Union

CJEU: The mandatory insertion in identity cards of two fingerprints is compatible with the fundamental rights to respect for private life and to protection of personal data

The Court of Justice of the European Union (CJEU) ruled in case C-61/22 that the mandatory insertion of two fingerprints in identity cards is in line with fundamental rights to privacy and personal data protection. This measure, aimed at preventing false identity cards and identity theft, as well as ensuring the interoperability of verification systems, has, however, been declared invalid due to its adoption under an incorrect legal basis. Because of the serious negative consequences of the regulation being invalid with immediate effect, the CJEU has decided to maintain the regulation’s effects until a new, correctly based regulation is adopted, with a deadline set for 31 December 2026. This decision came after a German citizen challenged the City of Wiesbaden’s refusal to issue an ID card without fingerprint data, prompting a review of the EU regulation’s validity. The CJEU highlighted that fingerprints, compared to facial images, provide a more reliable form of identification, contributing to the protection of privacy, the fight against crime and terrorism, and facilitating free movement within the EU. You can read the press release here and the full decision here.

Council and Parliament: Provisional agreement on European Health Data Space

The European Parliament and the Council have provisionally agreed to establish a European Health Data Space (EHDS), aiming to improve access to personal health data across EU countries. This initiative will enable patients to electronically access their health records, including prescriptions and lab tests, across different EU healthcare systems. Health professionals will also have access to necessary patient data. The EHDS introduces measures for the secure sharing of anonymised or pseudonymised health data for purposes such as research and policy-making, while strictly prohibiting its use for advertising or insurance assessments. Patients will have significant control over their data, in particular, they will be informed whenever their data is accessed and will have the right to request or correct inaccurate data. Patients will also be able to object to healthcare professionals accessing their data for primary use. National data protection authorities will monitor the enforcement of rights to access health data and will have the power to impose fines in the event of non-compliance. The agreement still needs to be formally adopted by the European Parliament and the Council before it can become law. You can read the press release here and the compromise text here.

ENISA: Celebrating 20 years of strengthening cybersecurity

Celebrating its 20th anniversary, the European Union Agency for Cybersecurity (ENISA) announced the extension of Executive Director Juhan Lepassaar’s mandate for a second term during a ceremonial event in Athens. The celebration, attended by Greek Minister of Digital Governance, Dimitrios Papastergiou, and other dignitaries, highlighted ENISA’s two decades of advancing cybersecurity across the EU. The Management Board’s decision to extend Lepassaar’s mandate reflects confidence in his leadership and ENISA’s critical role in facing emerging cybersecurity challenges. The agency, instrumental in promoting a high common level of cybersecurity throughout the Union, looks towards a future of continued success and impact in the evolving cybersecurity landscape. You can read the press release here.

National Authorities

UK: ICO publishes new fining guidance

The UK data protection authority  (ICO) has released updated fining guidance, detailing its approach to issuing penalties and calculating fines for breaches of the UK General Data Protection Regulation or Data Protection Act 2018. This guidance aims to offer organisations clearer insight into the ICO’s use of its fining powers, fostering greater transparency. Highlighting the publication’s significance, Tim Capel, ICO Director of Legal Service, emphasised its role in providing certainty and clarity by explaining the criteria and methodology for fines. The guidance, which follows a consultation period, replaces sections on penalty notices from the ICO Regulatory Action Policy of November 2018, and outlines the legal framework for fines, decision-making processes, and fine calculation methodology. You can read the press release here and the full guidance here.

Italy: Garante completes the implementation phase of the new code of conduct for telemarketing

The Italian data protection authority (Garante) has accredited the monitoring body (CMO), thus completing the implementation phase of the new code of conduct for telemarketing and teleselling activities. This Code, which aims to protect individuals from unsolicited calls, will become fully operational the day after its publication in the Official Gazette. It has been endorsed by a broad coalition, including clients, call centres, telemarketers, list providers and consumer associations, to ensure that it meets EU standards of competence, independence and impartiality. Compliance with the Code requires comprehensive measures to ensure the proper handling and lawfulness of data processing across the telemarketing sector, including specific consent for different purposes and thorough information for those contacted about how their data will be used. It introduces penalties for each contract concluded as a result of promotional contact without consent. and addresses the problem of rogue call centres. You can read the press release here (in Italian).

Belgium: As elections approach, APD outlines rules for election advertising

As elections approach, the Belgian data protection authority (APD) has issued a reminder of the rules governing the use of personal data for electoral purposes. It has published a new note on adhering to data protection principles when sending personalised electoral messages, whether by post or electronically, and updated its “elections” file on its website. The communication between candidates/parties and voters is crucial in a democracy, thus personal electoral messages are allowed, provided personal data is used in compliance with the GDPR and its principles. This includes ensuring data is collected for a specific purpose and not reused incompatibly, and that any data processing is based on one of the six legal grounds outlined in the GDPR. The APD also highlighted the importance of consent for electronic messaging, and raised concerns about new technologies like data analysis and micro-targeting, emphasising transparency and fairness. You can read the press release here and the full guidance here (both in French or Dutch)

Luxembourg: CNPD releases report on Covid-19 pandemic surveillance activities

The Luxembourg data protection authority (CNPD) has published an overview of its surveillance activities during the Covid-19 pandemic, focusing on the specific information systems established to combat the pandemic and the new data processing activities by both public and private Luxembourgish entities. From the onset of the pandemic, the collection and processing of personal data were pivotal, including identifying positive cases, tracing high-risk individuals, and monitoring vaccination efforts. The CNPD acknowledged the significant efforts made to ensure transparency and respect for privacy despite the crisis. However, it also noted incidents where data protection lapses occurred. Without imposing sanctions, the CNPD emphasised educating on proper data handling practices, especially medical data, aiming for awareness and transparency. This document highlights the CNPD’s attentive surveillance on certain cases, not encompassing the full range of observations. You can read the full document here (in French).

Global

General Assembly adopts landmark resolution on artificial intelligence

On 21 March 2024, the UN General Assembly adopted a landmark resolution, led by the United States and supported by over 120 Member States, focusing on the promotion of “safe, secure, and trustworthy” artificial intelligence (AI) systems. This resolution, a first of its kind, aims to benefit sustainable development and insists on the respect, protection, and promotion of human rights in AI’s design, development, deployment, and use. It acknowledges AI’s potential to expedite progress towards the 17 Sustainable Development Goals. Additionally, the resolution calls for the protection of rights online and offline, urges the development of regulatory frameworks for AI use, and emphasises the importance of closing the digital divide, particularly in developing nations. It signals an historic step towards the safe use of AI, echoing hopes for future discussions on AI’s challenges across various sectors. You can read the full press release here.

Sanctions

Norway: Datatilsynet imposes fine of NOK 2 million to Norwegian Labour and Welfare Administration

The Norwegian data protection authority (Datatilsynet) has imposed a fine of 20 million NOK (equivalent to € 1,720,000) and several enforcement notices on the Norwegian Labour and Welfare Administration (NAV) following an inspection. This inspection assessed NAV’s confidentiality safeguards through access control and log monitoring, uncovering several serious deviations. Despite NAV largely agreeing with the identified discrepancies, they had numerous remarks on the notice of the fine. The Datatilsynet highlighted NAV’s systemic and organisational weaknesses, including inadequate personal data security prioritisation and resource allocation by management. This situation presents a high risk of non-compliance happening by chance, which is unacceptable for an authority like NAV, underpinning Norway’s welfare model. The size of the fine reflects the long-term exposure of sensitive personal data without necessary security measures and NAV’s insufficient response to previous warnings. NAV has a three-week deadline to appeal the decision. You can read the press release here and the full decision here (both in Norwegian).

Iceland: Subway Iceland’s operator fined for employee surveillance

The Icelandic data protection authority (Persónuvernd) imposed a fine of 1.5 million ISK (equivalent to €10,150) on Stjörnuna ehf., the operator of Subway in Iceland, for electronic surveillance violations. A Subway employee complained about the company monitoring his work performance without informing him of the surveillance or his rights. Evidence showed that a store manager had taken multiple screenshots of the complainant from surveillance cameras, annotating them with the employee’s activities. The Persónuvernd found that Stjörnuna ehf.’s electronic monitoring did not align with its stated purposes and constituted work performance monitoring. Additionally, the company’s signage and training did not comply with personal data protection laws. Despite certain mitigating factors considered in Stjörnuna ehf.’s favor, discrepancies in the company’s responses to the Persónuvernd’s inquiries and the responsible party’s subjective attitude at the time of the violation led to the imposition of the fine. You can read the press release here (in Icelandic).

Denmark: Datatilsynet reprimands two parking companies for failing to inform

Denmark’s data protection authority (Datatilsynet), has concluded its examination of three major parking companies, focusing on their compliance with the obligation to inform individuals about the use of personal data when issuing parking fines. The investigation, motivated by citizen complaints, scrutinised the companies’ practices, particularly the use of CCTV technology in fine issuance. Datatilsynet found that two of the companies did not adequately inform individuals (the parkers) about the processing of their personal data at the time of the fine, leading to criticism for failing to meet their transparency obligations. However, one company was found to comply with the requirements by linking to its privacy policy in its payment demands, thus adequately informing individuals. Datatilsynet emphasised that merely having information on a website does not fulfil the obligation to inform. You can read the press release here.