Data Protection Weekly 12/2023

Mar 23, 2023

 European Union

CJEU: The automated establishment of a probability concerning the ability of a person to service a loan constitutes profiling under the GDPR

The advocate general of the Court of Justice of the European Union Priit Pikamäe has said that automated loan scoring, to determine an individual’s probability to obtain a loan, constitutes profiling under the GDPR. The Advocate General also takes the view that the retention and storage of (personal) data by a private credit information agency cannot be lawful, under the provisions of the GDPR, once the personal data concerning insolvency have been erased from public registers. Moreover, an individual has the right to obtain from the controller the erasure of their personal data without undue delay. The full press release can be read here.

ENISA: European Union Agency for Cybersecurity lunch platform related to EU cybersecurity certification

The objective of the new website is to promote and disseminate information related to EU cybersecurity certification currently being developed such as information on the certification schemes dedicated to ICT products, cloud services, and 5G networks. The platform also provides guidance on implementation of certifications. You can read more and access the platform here.

National Authorities

Denmark:  The Danish DPA is to launch a GDPR guide for SMEs

The DPA in collaboration with the state bodies Dansk Erhverv, Dansk Industri and SMEDanmark, has created new GDPR guidance content for small businesses. The guidance is built around 7 steps that companies can follow to get better control of their GDPR compliance. Concrete examples have been made for each step. Furthermore, the material consists of a comprehensive FAQ as well as down-to-earth descriptions of the basic concepts of the GDPR. The Guidance will be officially launched with an introductory webinar on May. Moe information (in Danish) can be read in the press release here.

France: “The Digital Guardians” escape game based on privacy will be organised at the Museum and Exhibition center ‘Cité des Sciences et de l’industrie’ in Paris.

from March 21 to April 3, 2023, the CNIL, the VYV group, and the An@é-Educavox will be hosting their escape game “The Digital Guardians” at the Library of Science and Industry museum and centre in Paris. The initiative was launched in 2019 to raise awareness among young people and their families about the major digital issues facing society. To find out more about this fun experience aimed at augmenting digital citizenship read (in French) the CNIL press release here.

France: The CNIL publishes its first thematic dossier dedicated to digital identity

Digital identity involves many challenges, particularly for people’s privacy. In its first “thematic file” approach, a new publication format intended to take stock of a given subject, the CNIL presents the major key principles and its positions on the topical matter. The file is addressed to the general public, both private and public sector organisations and researchers. The press release (in French) can be read here.

UK: ICO issues reprimand to the Metropolitan Police Service for inadequate handling of files related to organised crime groups

The ICO has issued a reprimand to the Metropolitan Police Service (MPS) following several issues identified around their uploading, amending and deleting of various criminal intelligence files relating to Organised Crime Groups. The breach is reported to have happened between April-July 2020. It was first identified that a coding issue had occurred on the Police National Database, resulting in a small set of test data being inadvertently introduced to the live system creating issues with up-dates and accurate reporting around sensitive files. The ICO statement can be read here.


EU mulls setting global digital standards with UN Global Digital Compact

The European Union intends to assert for its digital rules to become new international standards at a United Nations convention intended to produce a global vision of the digitalised society. The United Nation’s Global Digital Compact is a similar case. The initiative will shape the shared principles for the world’s digital future. It will be endorsed at the UN’s Summit of the Future in September 2024, to be preceded by a ministerial meeting in September 2023. Earlier this month, a technical body of the EU Council adopted the EU’s “contribution to the global digital compact”. The March document sets out priority areas and underscores how Brussels-made rules provide an example to be followed. EURACTIV have the story here.

The PICCASO Privacy Awards Europe 2023 is now open for submissions

The PICCASO Privacy Awards Europe 2023, the world’s first-of-its-kind awards ceremony dedicated to celebrating the excellence and achievements in data protection and privacy, is now open for entries. Following on from the success of the 2022 UK awards, and due to popular demand, the 2023 awards have been expanded to Europe. For more information on the Awards and submission process visit the event website here.

Child sexual abuse: Data retention, quick removals top concerns for EU states

Fifteen European governments have given feedback regarding the draft law to fight CSAM in a commentary document dated 15 March. The commentary, albeit partial, indicates some of the most significant points of concern raised by the EU capitals. EU countries have predominantly commented on the scope surrounding end-to-end encryption, data retention, quick removals of such material, and preservation of evidence, according to EURACTIV. The story can be read here.

Irish Government has published The General Scheme of the Digital Services Bill 2023

On March 2023 the General Scheme of the Digital Services Bill 2023 was released by the Irish Department of Enterprise, Trade and Employment. The Digital Services Bill will support, at a national level, the Digital Services Act (Regulation (EU) 2022/2065) which came into force on 16 November 2022. Some of the DSA had immediate effect when it came into force, but the broader application of the DSA in all Member States takes effect from 17 February 2024. The Digital Services Bill 2023 is necessary to provide effect for certain provisions of the Digital Services Act, where the EU regulation does not directly apply, such as the designation and empowerment of a competent authority. The government’ press release and access to the full text can be read here.

Bill Gates publishes an Opinion piece on artificial intelligence: “The Age of AI has begun”.

Bill Gates published a 7-page letter on the future of artificial intelligence. Gates focuses on three sectors AI could transform: the workforce, healthcare, and education. The letter adds to the contemporary conversation and debate around AI chatbots which have exploded in recent months. The letter can be read here.

‘We are a little bit scared’ – OpenAI CEO warns of risks of artificial intelligence

Sam Altman, CEO of OpenAI, the company that developed the controversial consumer-facing artificial intelligence application ChatGPT, has warned that the technology comes with real dangers as it reshapes society. The OpenAI CEO stressed that regulators and society need to be involved with the technology to guard against potentially negative consequences for humanity. […]“I’m particularly worried that these models could be used for large-scale disinformation,” Altman said. “Now that they’re getting better at writing computer code, [they] could be used for offensive cyber-attacks.” Read full article here.

Ransomware gang threatens Amazon’s Ring with data leak

A ransomware gang is threatening the largest system of doorbell cameras in the US, claiming that it has some amount of stolen data. The group claims to have broken into Amazon’s Ring system, though Amazon has yet to confirm the incident and details are mostly coming from anonymous sources speaking to the media. […] Amazon would only confirm that an unnamed third party vendor was breached, and said that this vendor does not have access to customer records. You can read the CPO Magazine story here.

Top EU judge expects a wave of litigation from tech giants against new tech law

The Digital Markets Act (DMA), which came into force in November of 2022, which classifies online platforms with more than 45 million users as gatekeepers is likely to see legal challenges in the future. Marc van der Woude, president of the General Court, which is part of the Court of Justice of the European Union thinks we may see cases already in 2023 into next year. He said areas of dispute will likely focus on the gatekeeper designation, and specifications of their obligations and during enforcement of the DMA. The full Reuters story can be read here.


Finland: Finish SA imposes fine on Suomen Asiakastieto Oy for non-compliance with the supervisory authority’s order

The Finnish SA imposed an administrative fine on 440,000 EUR on the controller for failing to erase inaccurate payment default entries saved into the credit information register due to inadequate practices. The SA pointed out that a payment default entry has a significant impact on the rights and freedoms of an individual. Read further here.

Germany: The Oldenburg Labour Court issued a 10,000 EUR fine in compensation for delayed access to information a GDPR violation

In its judgement of 09.02.2023 (case no. 3 Ca 150/21), the Oldenburg Labour Court ruled that a company must pay a former employee 10,000 EUR in damages for late provision of information.

The plaintiff had submitted a request for information to his former employer under Article 15 of the GDPR. The company had refused to provide the information for over 20 months and only provided individual pieces of information in the course of the court proceedings. In addition to the full information, the plaintiff also demanded damages under Art. 82 of the GDPR. Read the judgment (in German) here.

Norway: GDPR Violation fine imposed on Argon Medical Devices

The Norwegian Data Protection Authority has decided to impose an infringement fee of NOK 2.5 million -approx. 220,000 EUR – on the American company Argon Medical Devices for breaching the GDPR. In July 2021, Argon discovered a security breach that affected the personal data of all their European employees, including in Norway. Argon only notified the DPA in September 2021, long after the 72-hour deadline foreseen for reporting a breach under the regulation’s Article 33. The security breach concerned personal data that can be used for fraud and identity theft. The press release (in Norwegian) can be read here.