Data Protection Weekly 13/2024

Apr 9, 2024

 European Union

EDPS: European Data Protection Summit scheduled for 20 June 2024 in Brussels and online

The European Data Protection Supervisor (EDPS) has announced the European Data Protection Summit, to be held in Brussels and online on 20 June, under the theme “Rethinking Data in a Democratic Society”. The event marks the 20th anniversary of the European Data Protection Supervisor (EDPS) and aims to explore how data protection can safeguard a democratic society. It will bring together privacy experts, technology specialists, policy-makers, and other influential voices to discuss the role of the state in an era of ever-increasing collection of information about citizens, whether by private or public entities. The Summit will address the successes and limitations of data protection laws in contributing to the development of the foundations of democratic societies, and highlight the need for continued public debate and reflection on these issues. You can read more about the event and register here.

National Authorities

Italy: Garante issues a warning to Worldcoin over biometric data collection

The Italian data protection authority (Garante) has issued a warning to the Worldcoin Foundation regarding its iris-scanning Worldcoin project, suggesting that it could breach EU regulations if introduced in Italy. The project, initiated by OpenAI CEO Sam Altman, involves a biometric device called the Orb, which scans users’ irises to create a unique World ID for access to a financial network using the WLD cryptocurrency. Although not yet operational in Italy, Italian residents can reserve WLD tokens through the World app by submitting personal information. The Garante claims that the consent obtained for the processing of biometric data is invalid under EU law, as it is based on insufficient information and influenced by the offer of free tokens, thereby compromising the freedom of consent. The potential risks are exacerbated by the lack of age restrictions for users of the Orb and World apps. The decision will be published in the Italian Official Gazette. You can read the press release here (in Italian).

France: CNIL publishes AI recommendations

The French data protection authority (CNIL) has published its first set of recommendations on the development of AI systems, following an extensive public consultation. These recommendations aim to help professionals reconcile the use of innovative AI with the strict requirements of the General Data Protection Regulation (GDPR). The document provides practical guidance on determining the legal framework, defining purposes, the legal qualification of AI system operators and the lawful basis for data processing. It also includes steps for carrying out impact assessments, as well as data protection considerations from the design phase of systems. With this initiative, the CNIL aims to support the ethical development of AI in line with European values of privacy and transparency. You can read the press release here and the full recommendations here (both in French).

UK: ICO joins global data protection and privacy enforcement programme

The UK data protection authority (ICO) has joined the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE), an international initiative aimed at enhancing cooperation in data protection and privacy enforcement across borders. This collaboration will allow the ICO to assist in investigations and share information with the member countries, which include the US, Australia, Canada, Mexico, Japan, South Korea, the Philippines, Singapore, and Chinese Taipei, without the need for individual bilateral agreements. This new arrangement supplements the existing Asian Pacific Economic Cooperation Cross-border Privacy Rules by including nations outside the Asia Pacific region, aiming to bolster global privacy safeguards. You can read the press release here.

Denmark: Datatilsynet revises guidelines on phone call recording

In response to recent European developments, the Danish data protection authority (Datatilsynet) has revised its 2020 guidelines on the recording of phone calls. The guidelines initially required consent for recording calls for training purposes, unless there were exceptional circumstances. However, the updated interpretation now allows such recordings without the individual’s consent, provided they are given the opportunity to object either before the call begins via a keypad entry or during the call itself. This change aims to align with wider European practice, while balancing the need for training with the data protection rights of individuals. There have been no changes to recording for documentation purposes. You can read the press release here (in Danish).

UK: ICO sets out priorities to protect children’s privacy online

The UK data protection authority (ICO) is intensifying its efforts to safeguard children’s privacy on social media and video-sharing platforms as part of its 2024-2025 priorities. Building on the Children’s code introduced in 2021, the ICO has urged these platforms to enhance privacy safeguards to better protect children’s personal data. The updated strategy demands platforms to ensure that children’s profiles are private by default and geolocation settings are disabled, minimise profiling for targeted advertisements, and avoid using data in ways that could lead children to harmful content. Additionally, the ICO stresses the importance of gaining appropriate consent for users under 13 and using age assurance technologies effectively. This initiative also involves increased cooperation with both UK regulators like Ofcom and international bodies to promote higher standards of data protection globally. You can read the press release here.

Netherlands: AP warns political parties of personal data risks around elections

With the European Parliament elections on 6 June 2024 approaching, the Dutch data protection authority (AP) has issued a reminder to political parties to comply with data protection rules. The letter from the AP highlights the increased processing of personal data by parties for targeted campaigning and member recruitment, which must comply with the General Data Protection Regulation (GDPR). In particular, it highlights the treatment of sensitive personal data, such as political preferences, which are subject to stricter protections. In addition, the AP warns against the use of online tracking methods such as cookies and the risks associated with the use of generative AI technologies. The AP also reaffirms its supervisory role and its willingness to report violations to the Authority for European Political Parties and European Political Foundations (APPF). Both the AP and the APPF can take enforcement action. You can read the press release here (in Dutch).

Italy: Garante wants AI oversight role

The Italian data protection authority (Garante) has declared its willingness to enforce the newly adopted European law on artificial intelligence, in line with the objective of ensuring a high level of protection of fundamental rights. The statement was made by Garante President Pasquale Stanzione in communications to the leaders of both Houses of Parliament and the Prime Minister. Stanzione emphasised the synergy between the Act and data protection regulation, arguing that AI oversight should be managed by independent authorities such as the Garante, and noting its established expertise in automated decision-making processes. This integration, he argued, is essential to effectively uphold the rights and guarantees provided by the AI Act, and he called on the Italian legislative and executive branches to reflect on these governance structures. You can read the press release here (in Italian).

Iceland: Annual report of the Icelandic data protection authority 2023

The 2023 annual report of the Icelandic Data Protection Authority (Persónuvernd) has been released, providing a comprehensive overview of the authority’s roles and operations throughout the year. The report includes statistical data and insights into the key functions of Persónuvernd, along with a foreword by the CEO, which discusses the main projects undertaken by the authority. This document offers an in-depth look into the authority’s efforts to oversee and enforce data protection laws in Iceland, highlighting both the progress made and challenges faced during the year. You can read the full report here (in Icelandic).

Sanctions

Poland: UODO imposes fines on Santander and Toyota banks for data breach notification failures

The Polish data protection authority (UODO) has fined Santander Bank Polska S.A. PLN 1.44 million (equivalent to €337,800) and Toyota Bank Polska S.A. PLN 78,000 (equivalent to €18,300) for failing to notify data breaches. Santander’s problem arose after a courier theft exposed customer data, including account numbers and personal IDs. Although the documents were soon found and handed over to the police, UODO criticised the bank’s delay in notifying and stressed the importance of immediate action to allow individuals to assess the impact on their rights and freedoms. Similarly, Toyota Bank was penalised for a significant delay in reporting a breach in which customer data was sent to an unauthorised recipient, creating a high risk of identity theft. UODO stressed that failure to report breaches in a timely manner undermines the ability of individuals to protect their rights and freedoms, and underscored the obligation of data controllers to put individuals before corporate interests. You can read the press release here (in Polish).