Data Protection Weekly 12/2024

Apr 2, 2024

 European Union

European Commission: DMA investigations opened against Alphabet, Apple and Meta

The European Commission has launched investigations into tech giants Alphabet, Apple and Meta under the Digital Markets Act (DMA), focusing on issues such as Google Play’s steering rules, Apple’s App Store and Safari choice screens, and Meta’s ‘pay or consent’ model. Concerns have been raised about whether these companies’ practices comply with the DMA’s obligations to ensure fair and open digital markets. Alphabet is under scrutiny for possible self-preferencing in Google search, while Apple’s new fee structure for alternative app stores and Amazon’s marketplace ranking practices are also under investigation. The Commission has also issued document retention orders to key gatekeepers, including Microsoft, to monitor compliance, and extended the deadline for Meta’s interoperability commitments with Facebook Messenger. The investigations aim to address any breaches of the DMA requirements, with potential fines and remedies on the horizon. You can read the press release here.

ENISA: Updated insight into 2030 cybersecurity threats

The European Union Agency for Cybersecurity (ENISA) has released the executive summary of its “Foresight Cybersecurity Threats for 2030” report, identifying key cybersecurity threats expected to impact by 2030. The top threats include supply chain compromises, advanced disinformation, and the abuse of AI. Notably, skill shortages have risen to the second position, emphasising the need for organisational development in cybersecurity talent. The report also marks the entry of “Exploitation of Unpatched and Out-of-date Systems” and the “Physical Impact of Natural/Environmental Disruptions on Critical Digital Infrastructure” into the top ten threats. ENISA’s Executive Director, Juhan Lepassaar, stresses the importance of persistent threat observation and assessment to enhance cybersecurity mitigation plans. The report aims to facilitate a comprehensive understanding of the cybersecurity threat landscape and to build robust cybersecurity frameworks and practices. You can read the press release here.

National Authorities

Portugal: CNPD suspends Worldcoin biometric data collection

The Portuguese data protection authority (CNPD) has temporarily suspended the collection of iris, eye and face biometric data by the Worldcoin Foundation in the national territory. This decision, which affects more than 300,000 people already involved in the exchange of cryptocurrency, follows numerous complaints about the collection of data from minors without the consent of their legal guardians, as well as issues relating to the provision of information, deletion of data and withdrawal of consent. The 90-day suspension will remain in place until the CNPD completes its investigation, with the aim of safeguarding the right to personal data protection, particularly for minors. The urgency of this action reflects the high risk to citizens’ fundamental rights amid reports of Worldcoin’s rapid expansion and lack of age verification of participants. The CNPD’s actions underline the increased protection required for biometric data, and the special consideration required for minors under the GDPR. You can read the press release here and the full decision here.

France: CNIL publishes five-year report on data breach notifications

The French data protection authority (CNIL) has published its first comprehensive report on GDPR compliance and data breach notifications, covering the period from May 2018 to May 2023. During these five years, the CNIL received 17,483 notifications of data breaches. However, this figure may not fully represent the actual number of incidents, as it includes multiple notifications of single incidents where a service provider affected by a breach reports to its clients, who then also submit their notifications. The increasing trend in data breach notifications raises the question of whether this reflects an actual increase in data security threats or improved compliance awareness. The report also highlights that hacking, particularly through ransomware and phishing, is the most common origin of breaches. It identifies the critical sectors most affected, including private sector SMEs and healthcare, and underlines the importance of strong security measures and regular updates to mitigate risk. You can read the full article here (in French).

France: CNIL releases the 2024 edition of its personal data security guide

The French data protection authority (CNIL) has updated its practice guide for the security of personal data, introducing significant changes in its 2024 edition. The guide, which emphasises the importance of complying with security obligations when processing personal data, now includes new factsheets on artificial intelligence, mobile applications, cloud computing and APIs, reflecting the latest technological advances. Aimed at DPOs, CISOs, IT professionals and legal experts, the guide has been restructured into five sections with 25 factsheets for easier browsing. Additions also cover current practices such as BYOD, with updates to keep pace with evolving threats and knowledge. This resource serves as a comprehensive tool for ensuring data security, highlighting both basic precautions and advanced protective measures. You can read the press release here and the full guide here.

France: CNIL launches public consultation on multi-factor authentication recommendation

The French data protection authority (CNIL) is seeking to promote cybersecurity measures that comply with the General Data Protection Regulation (GDPR), both by design and through the use of technology. To this end, it has launched a public consultation on a draft recommendation for multi-factor authentication (MFA) solutions, which is open until 31 May 2024. The Recommendation aims to guide users and providers of MFA in securing data processing activities and promoting privacy by design. It addresses when MFA is legally required or advisable, ensuring GDPR principles such as legal basis, data minimisation and respect of rights. The consultation is aimed at data controllers, processors, DPOs and IT security professionals, as well as MFA providers, with the aim of refining the recommendation based on real-world insights and experiences. You can read the press release here and the draft recommendation here (both in French).

Czech Republic: UOOU publishes its annual report for 2023

The Czech data protection authority (UOOU) has published its annual report for 2023, highlighting the main themes and activities of the UOOU in data protection, the implementation of the right to information and other legal duties. Jiří Kaucký, the UOOU’s President, hopes that the report will provide useful information and contribute to the understanding of the indispensable nature of personal data protection and individual privacy. This document reflects the ongoing efforts of the Czech authority to address data protection challenges and ensure compliance with the legal framework, and underlines the importance of privacy in the digital age. You can read the press release here and the full report here (both in Czech).

Norway: Datatilsynet releases AI strategy

The Norwegian data protection authority (Datatilsynet) has released a strategy to address the challenges and opportunities presented by artificial intelligence (AI) in Norway. The strategy outlines Datatilsynet’s commitment to promoting the responsible development and use of AI, which respects individual rights and upholds societal values. It emphasises the importance of integrating data protection from the very beginning of AI projects and highlights the close relationship between privacy, freedom of expression and non-discrimination. The strategy aims to ensure that Datatilsynet adopts a coherent and consistent approach to AI, improving its internal processes and external interactions. It aims to provide clear guidance on how to handle AI-related inquiries and initiatives, strengthen the agency’s AI oversight capabilities, and improve the efficiency and quality of its work by ensuring that privacy and data protection principles are embedded in AI innovations. You can read the press release here and the full strategy here (both in Norwegian).

Norway: Schibsted’s pay or consent solution under scrutiny

The Norwegian data protection authority (Datatilsynet) is currently receiving numerous inquiries about Schibsted’s new test of a “pay or consent” solution, in which users are asked to choose between consenting to the sharing of their data for personalised advertising or paying an additional fee for an ad-free experience without tracking or profiling for marketing purposes. This issue is part of a wider trend across Europe where services and platforms are offering options to avoid data collection for behavioural advertising, raising questions about the validity of such consent, especially for those with limited financial resources. The European Data Protection Board (EDPB), at the request of the data protection authorities in Norway, the Netherlands and Hamburg, is expected to issue guidance on the GDPR requirements for large internet platforms using these consent mechanisms by April. The outcome is likely to provide valuable general guidance on consent collection practices. You can read the press release here (in Norwegian) and the request for an EDPB opinion on “consent or pay” here (in English).

Denmark: Datatilsynet investigates CCTV surveillance in secure residential institutions

The Danish data protection authority (Datatilsynet) has completed several inspections of secure residential institutions regarding their handling of personal data in connection with CCTV surveillance. These inspections were motivated by the special protection afforded to children and young people under data protection rules and the focus on CCTV surveillance and child protection in the authority’s inspection plan for 2023.The inspections were based on physical inspection visits to the residential institutions, during which the areas monitored by CCTV were shown to Datatilsynet. The inspections focused, among other things, on the extent of surveillance, the rules for sharing recordings, the respect of the rights of data subjects and the security of the storage of recordings. The Datatilsynet found that, in general, the institutions complied with data protection rules. However, they stressed that the institutions must limit surveillance to what is necessary, respect the privacy of individuals, provide information to those being monitored, in particular in clear language suitable for children, and ensure that appropriate technical and organisational measures are in place to secure the data of those being monitored. You can read the press release here (in Danish).

Croatia: AZOP publishes recommendations for elections

The Croatian data protection authority (AZOP) has published recommendations ahead of the general election, advising on the correct handling of personal data by political entities. AZOP outlines the need for either voter consent or legitimate interest for the processing of personal data in campaigns. It highlights the permanent right of voters to object to data processing, and mandates clear communication of this right in all election communications. AZOP calls for transparency in data processing and suggests minimising the use of personal data in campaign strategies. The recommendations serve as a warning that failure to comply with GDPR provisions may result in enforcement action, including fines, highlighting the urgent need for political parties and candidates to comply with data protection regulation. You can read the press release here (in Croatian).

Global

Microsoft announces enhanced data privacy measures for AI services

Microsoft has announced enhanced data privacy and governance measures for users of its Azure OpenAI Service and Copilots, highlighting the extension of its privacy commitments to these AI solutions. The company emphasises that customer data will remain private, secure, and under user control, in line with Microsoft’s Data Protection Addendum and Privacy Statement. It assures that data, including interactions with Azure OpenAI Service and Copilots, won’t be shared without consent or used to train foundational models. Furthermore, Microsoft commits to compliance with global data protection laws, including the EU AI Act. Alongside these privacy measures, Microsoft offers support for AI deployment, addressing legal, regulatory, and copyright concerns through its AI Assurance Program and Customer Copyright Commitment. You can read the full article here.

Fines

Italy: Garante fines companies for unlawful use of facial recognition in the workplace

The Italian data protection authority (Garante) has fined five companies a total of €103,000 for unlawfully processing biometric data to monitor the attendance of employees. The companies, which operate at the same waste disposal site, used facial recognition technology, which is not currently allowed by any regulation covering biometric data to be processed in this way. The action followed complaints from several workers that highlighted significant privacy risks and the lack of legal and regulatory safeguards at national and European level. Inspections revealed other violations, including inadequate security measures and the sharing of a biometric detection system between three companies for more than a year. The Garante stressed the need to use less intrusive methods to monitor attendance and ordered the destruction of the data collected unlawfully. You can read the press release here (in Italian).

Italy: Garante fines transport company for inadequate data protection practices

A transport company in Emilia Romagna has been fined €50,000 by the Italian data protection authority (Garante) for using a non-compliant subscription form for its public transport service. The investigation, which was triggered by a complaint, found that the form provided to passengers lacked essential information so that consent was not freely given, specific and informed. The form did not distinguish between mandatory and optional data (e.g. mobile phone numbers and email addresses) and did not clearly inform users of their right to object to direct marketing. The company, which serves a significant user base, had not updated its data processing information and subscription forms, or its internal data retention policy, to comply with the GDPR. The Garante also prohibited the company from processing users’ data for marketing or service status communications based on invalid consents, and ordered it to issue a new compliant data processing information notice. You can read the press release here (in Italian).