Data Protection Weekly 13/2023

Mar 31, 2023

 European Union

EDPS: Joins EDPB’s Coordinated Enforcement Action on Data Protection Officers

The EDPS announces its participation in the EDPB’s Coordinated Enforcement Action on the role and tasks of DPOs, alongside 26 EU/EEA data protection authorities. Wojciech Wiewiórowski, EDPS, emphasized the importance of DPOs in ensuring compliance with data protection law within EU institutions (EUI). The EDPS will focus on the role, responsibilities, and tasks of DPOs in EUI, sending a questionnaire to assess their compliance with Regulation (EU) 2018/1725. The enforcement action is part of the EDPB’s Coordinated Enforcement Framework, aiming to streamline enforcement actions and cooperation among EU/EEA DPAs. Read the press release here.

Council of the EU: member states agree common position on Data act

The Council of the EU has achieved a common position on the proposed Data Act which aims to create harmonized rules for fair access and use of data. While maintaining the general thrust of the Commission’s proposal, the Council’s text amends various parts. The common position now enables the Swedish presidency to enter negotiations with the European Parliament on the final version of the proposed legislation. Read the press release here.

EDPB: adoption of opinion on the draft decision of the Danish Supervisory Authority on the controller Binding Corporate Rules (BCRs) of Norican Group

The European Data Protection Board (EDPB) approved the Danish SA’s draft decision on Norican Group’s controller Binding Corporate Rules (BCRs).The draft BCRs cover the processing of personal data by Norican Group entities, both as controllers and processors. Data subjects covered by the draft BCRs include job applicants, employees, customers, suppliers, partner companies and other business relationships of the Norican Group. The EDPB emphasised that the draft BCRs contain appropriate safeguards to maintain the level of protection guaranteed by the GDPR, when personal data is transferred and processed by Group members located in third countries. You can read the Opinion 04/2022 here.

European Commission: publication of 2023-2024 Digital Europe Programme

The European Commission has unveiled its 2023-2024 work program and budget for the Digital Europe Programme, highlighting key technology policy areas for the coming years. The multiannual plan allocates €113 million for initiatives on cloud services, data, and artificial intelligence (AI). The program aims to enhance cloud security, establish AI Testing and Experimentation Facilities, and promote open data sharing across sectors. In addition, the cybersecurity section of the program focuses on supporting small and medium-sized businesses in regulatory compliance. The two documents can be found here.

EDPS: publication of the new TechDispatch report on Central Bank Digital Currency (CBDC)

In its new TechDispatch, EDPS provides a description of CBDC and assesses possible impacts on privacy and the protection of personal data in the context of numerous countries around the world examining whether they should offer central bank money to the public in a digital form. The technical design choices, policy objectives, and use-cases of CBDCs significantly impact privacy and data protection, with concerns over diminishing anonymity in payments and potential surveillance risks. Balancing these concerns with regulatory compliance, such as anti-money laundering laws, is crucial. Institutions emphasize the importance of a data protection by design and by default approach, multilateral coordination, and standardization efforts to address these challenges. Privacy professionals must stay informed about these ongoing discussions to prepare for the potential implementation and impact of CBDCs on the financial landscape. You can read the full report here.

National Authorities

Denmark: Danish DPA introduces data breach statistics portal

Denmark’s Data Protection Authority, Datatilsynet, has introduced a new portal providing detailed data breach insights. The portal, part of the national cybersecurity strategy, offers overviews of reported breaches, their types, and affected sectors. Users can filter by event types, industries, and track trends over time. The portal aims to help identify areas needing more guidance or supervision, and contributes to better data protection and breach prevention. Although some data cannot be displayed fully due to security concerns, the authority aims to gradually increase detail within acceptable limits. Read the press release (in Danish) here.

Italy: Garante approves Telemarketing Code of conduct

The Italian Data Protection Authority (Garante) has approved a Code of Conduct for telemarketing and teleselling activities, promoted by client associations, call centers, telesellers, list providers, and consumer associations. The Code will become effective after the accreditation of the independent Monitoring Body and its publication in the Official Gazette. Companies adhering to the Code commit to adopting specific measures to ensure data processing lawfulness and fairness throughout the telemarketing chain. These measures include obtaining specific consents for individual purposes, providing clear information about data processing purposes, and allowing individuals to exercise their rights under privacy regulations. The Code also introduces rules to combat abusive call centers and requires companies to conduct impact assessments for automated data processing. Read the press release (in Italian) here.

Spain: AEPD Releases Guidelines for data processing involving communication of data between Public Administrations

The Spanish Data Protection Authority (AEPD) has released guidelines for public administrations to manage risks in exchanging personal data. Focusing on situations where large volumes of personal data are at risk, the guidelines emphasize coordinated action, joint analysis of breach scenarios, and suitable data protection techniques and security measures. The AEPD acknowledges the complexity of the organizational infrastructure and interconnection of systems involved in data exchange and urges the implementation of appropriate privacy guarantees and security measures, both technical and organizational, to manage the high social impact of data protection in a coordinated manner.  Guidelines (in Spanish) are available here.

UK: ICO  opens consultation on Children’s Code access guidance

The ICO has clarified that adult-only services likely to be accessed by children are falling under the Children’s Code scope. To assist Information Society Service (ISS) providers in assessing potential child access, ICO has developed guidance, including FAQs, factors, and case studies. The ICO is now seeking feedback on this supporting guidance and its impact assessment within the context of the Children’s Code. The consultation is open until May 19, 2023, and encourages responses to specific survey questions. The link to the consultation is available here.

UK: ICO published new Guidelines on Direct Marketing and Regulatory communications

The ICO has issued guidance for organizations in regulated private sectors, such as finance, communications, and utilities, addressing regulatory communications and direct marketing compliance. Regulatory communications are messages that regulators require industries to send to individuals. Data protection laws and the Privacy and Electronic Communications Regulations 2003 (PECR) do not prevent organizations from sending regulatory communications, but compliance is necessary. The guidance clarifies the distinction between regulatory communications and direct marketing, stating that the phrasing, tone, and context of the message play a crucial role in determining its classification. Understanding the differences will help organizations adhere to the relevant rules and ensure they meet data protection requirements, regardless of whether a message is classified as direct marketing. The guidelines can be consulted here.


BEUC Calls for Harmonized GDPR Cross-Border Rules

BEUC the European Consumer Organisation representing  independent consumer organisations, welcomes the European Commission’s proposal for harmonized procedural rules on cross-border GDPR cases and outlines three recommendations that it considers essential for this initiative to be successful: “Mutual recognition of complaint admissibility and data subject representation”, “Equal procedural rights for data subjects and their representing organizations”, “Efficient and close cross-border cooperation between Data Protection Authorities (DPAs). Read the recommendations here.

AI Researchers Urge Pause on Powerful AI Development

A group of AI researchers and experts have issued an open letter calling for a 6-month pause in training AI systems more powerful than GPT-4. The letter emphasizes the potential risks posed by advanced AI systems and the need for rigorous safety protocols and robust governance systems. During the pause, the signatories urge AI labs to collaborate on shared safety protocols and work with policymakers to establish AI governance systems. The goal is to create a safer environment for AI development, focusing on accuracy, transparency, and trustworthiness of AI systems. This initiative aims to ensure a flourishing future with AI while addressing potential risks, allowing society to adapt and enjoy the benefits of advanced AI systems. You can read the Open Letter here.

UK Regulatory Policy Committee releases Opinion on UK’s data protection framework reform bill

The UK Regulatory Policy Committee (RPC) has published its “fit for purpose” opinion on the proposed Data Protection and Digital Information Bill. The RPC’s opinion focusses on the changes to the impact assessment conducted on the latest draft of the bill, which introduces several key amendments addressing various concerns including expanding research exemptions, simplifying record-keeping, clarifying legitimate interests, easing data transfer mechanisms, and refining profiling-based decision safeguards. The RPC’s opinion can be found here.


France: CNIL fines company CITYSCOOT over geolocation of rental scooters

The French Data Protection Authority, CNIL, has fined scooter rental company CITYSCOOT €125,000 for disproportionately infringing the privacy of its customers by geolocating them almost constantly. The company collected geolocation data every 30 seconds during scooter rentals and kept records of the journeys. The CNIL found that none of the purposes stated by CITYSCOOT for collecting this data justified such detailed information. The company also failed to provide a contractual framework for processing operations by processors and failed to inform users and obtain their consent before writing and reading information on their personal devices. The decision (in French) can be read here.

Luxembourg: CNPD adopted six decisions relating to investigations concerning  transparency

On December 13, 2022, Luxembourg’s National Commission for Data Protection (CNPD) adopted six decisions related to transparency investigations launched in 2020 targeting six web services companies. In each decision, the Commission found that Article 12.1 of the GDPR (transparency obligations) was not complied with, as information was not conveyed to individuals concisely, transparently, understandably, easily accessible, or in clear and simple terms. Furthermore, in four of the six decisions, violations of Article 13 of the GDPR (right to information) were identified, as the organizations failed to provide their website users with the required information. Fines ranged from €700 to €3,000, and additional corrective measures were imposed for GDPR breaches. The decisions (in French) can be found here.

Austria: DSB rules CRIF Database Illegal and Orders Deletion of Millions of Records

The Austrian Supervisory Authority has ruled that CRIF GmbH, a credit referencing agency, processed data illegally by collecting personal information without consent or legal basis to calculate creditworthiness values. As a result, millions of records must be deleted. CRIF acquired core data, including names, addresses, dates of birth, and gender, from address publisher AZ Direct, which is only authorized to share this data for marketing purposes. However, the data was used to calculate credit scores for almost every Austrian resident. The SA’s decision is based on a test case filed by noyb, which has now won. While the ruling currently pertains to an individual data subject, a broader official prohibition is pending. An appeal by CRIF is expected. The decision (in German) can be read here.

Romania: ANSPDCP imposes €5,000 fine on Tehnoplus Industry for multiple GDPR violations

Romania’s Supervisory Authority  (ANSPDCP) has fined Tehnoplus Industry S.R.L. €5,000 for violations of GDPR. The investigation was launched following a report from an employee, who claimed that his personal data was being processed through the GPS system installed in his company car without proper notification. The ANSPDCP found that Tehnoplus Industry processed location data outside of working hours, without exhausting less intrusive methods and without fully informing the employee. In addition, the company stored the data beyond the 30-day retention period without justification, which is another violation of the GDPR. The press release (in Romanian) can be read here.