Data Protection Weekly 14/2023

Apr 6, 2023

 European Union

CJEU: WhatsApp appeals General Court’s order dismissing case against EDPB

WhatsApp Ireland Ltd has appealed the General Court’s order in Case T-709/21, WhatsApp Ireland v European Data Protection Board (EDPB), which dismissed WhatsApp’s action against the EDPB’s decision on dispute resolution under Article 65 of the GDPR. The Court found that WhatsApp did not have standing to challenge the EDPB’s decision, as it did not have binding legal effects that significantly altered the company’s legal position. WhatsApp argues that the Court erred in its interpretation of the concept of an ‘act open to challenge’ under Article 263 TFEU, claiming the EDPB’s Contested Decision 1/2021 was not a mere preparatory act. WhatsApp also submits that the General Court committed errors in law in interpreting the notion of ‘binding decision’ within the meaning of Article 65(1) GDPR and the principle of consistent interpretation, as well as, application of European Union law. The appellant requests that the order be set aside and the case referred back to the General Court. Find WhatsApp’s pleas in laws and main arguments here.

CJEU: Member States cannot derogate GDPR without additional employee protection measures

The Court of Justice of the European Union (CJEU) ruled that a Member State may use Article 88(1) GDPR to derogate from the GDPR unless it also implements additional measures to protect employees’ rights and freedoms. The case involved a legal framework in the Land Hessen that enabled remote education through video calls during the COVID-19 pandemic. Teachers’ personal data was processed without their consent, and the CJEU clarified that Article 88 GDPR covers public employment. The court held that three conditions must be met when using Article 88 GDPR: specificity, protecting workers’ rights and freedoms, and suitable and specific measures under Article 88(2) GDPR that don’t just reiterate general GDPR protections. Read the full judgement here.

EDPB: Co-legislators asked by EDPB not to include data sharing provisions in the final text of the AML/CFT Regulation

In a letter addressed to the European Parliament, the Council, and the European Commission, EDPB draws the attention of the co-legislators to the significant risks posed by Articles 54(3a), 55(5) and 55(7) as amended by the Council’s mandate to the fundamental rights to privacy and to the protection of personal data. In particular, the EDPB expresses its serious concerns about the lawfulness, necessity, and proportionality of the above-mentioned provisions, and recommends the co-legislators not to include them in the final text of the Proposal for a Regulation on AML/CFT. Read the full letter here.

EDPB: Publication Guidelines 9/2022 on personal data breach notification under GDPR version 2.0

The EDPB conducted a targeted public consultation regarding the notification of data breaches for controllers not located in the EEA. As a result of this consultation, EDPB noticed that there was a need to clarify the notification requirements for personal data breaches at non-EU establishments. As a result, the EDPB has issued updated guidelines, with changes limited to paragraph 73 in Section II.C.2, while the rest of the document remains unchanged except for editorial updates. The new Guidelines are available here.

European Commission: Commissioner Reynders addressed the issue of digital advertising and cookies at the 2023 Consumer Summit

In his Keynote Speech during the 2023 Consumer Summit, Commissioner Reynders highlighted the need for a collaborative approach to help consumers better understand digital advertising and the recurring issue of cookie consent prompts. He plans to invite stakeholders, businesses, consumer organizations, and experts to discuss the solutions to address cookie-related issues and improve the online browsing experience for consumers. The full Keynote Speech can be read here.

European Commission: Conclusion of the first review of the Japan-EU mutual adequacy arrangement

The European Commissioner for Justice, Didier Reynders, and the Chairperson of the Personal Information Protection Commission of Japan (PPC), Ms. Mieko Tanno, have welcomed the successful conclusion of the first review of the Japan-EU mutual adequacy arrangement. The mutual adequacy arrangement, established in 2019, allows for the free flow of personal data between Japan and the EU, creating the world’s largest area of free and safe data flows. The review demonstrated that the mutual adequacy arrangement is functioning well and has led to an increase in convergence between the data protection frameworks of the two regions. Both sides agreed to explore the possibility of expanding the scope of the EU adequacy decision for Japan to further strengthen their partnership in this area. The Press statement can be read here.

Europol: publication of Innovation Lab’s report on the impact of Large Language Models on law enforcement

As Large Language Models (LLMs) such as ChatGPT gain mainstream prominence, law enforcement agencies must adapt to the potential implications for both criminal activities and investigative work. Europol’s Innovation Lab recently organized workshops with subject matter experts to explore LLMs’ potential for abuse by criminals and their possible applications in assisting investigators. The findings are presented in a Tech Watch Flash report, which aims to inform law enforcement agencies about new and emerging technologies that could impact their operations. By staying updated on LLMs’ advancements, law enforcement can better prepare for the challenges and leverage the opportunities these powerful tools present. You can download the full report here.

Council of Europe : France’s ratification of Convention 108+

France ratified the 108+ Amending Protocol on March 27, 2023, modernizing the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108). This international treaty promotes privacy rights and data protection globally. The update strengthens individuals’ rights, considering technological advancements like AI, expands oversight authorities’ powers, and enhances cooperation. France is the 22nd country to ratify the updated convention, with 16 more ratifications needed for its enactment. Read the press release here.

National Authorities

France: CNIL’s updated personal data security guide

France’s CNIL published a new personal data security guide on April 3, 2023, incorporating CNIL’s latest recommendations on passwords and logins. The guide targets professionals handling personal data and contains 17 sheets covering essential precautions and additional data protection measures. Key updates in the 2023 edition include emphasizing password entropy and removing password renewal obligations; balancing security, surveillance, and risks in multi-user systems; updated to reflect current best practices. The guide (in French) is available here.

France: CNIL opens public consultation on whistleblower alert systems framework update

The CNIL has opened a public consultation to update its framework on “personal data processing for the implementation of whistleblower alert systems,” following the recent transposition of the EU directive on whistleblower protection. The “Waserman” law, published in March 2022, strengthened the protection for whistleblowers, expanding the categories of eligible individuals, providing protection for those assisting whistleblowers, and establishing investigation timelines and common minimum guarantees for all whistleblowers. This necessitated updating CNIL’s existing framework, adopted on July 18, 2019. The public consultation will run until May 5, 2023, inviting feedback and proposals for changes to the existing framework. Following the consultation, the updated framework will be submitted to CNIL’s board for final adoption, and a webinar will be organized to present the main updates. You can find the consultation (in French) here.

UK: ICO to create new practitioner forum to reduce compliance burden

The UK’s Information Commissioner’s Office (ICO) has announced plans to establish a practitioner forum to reduce the burden and cost for organizations of complying with the laws it regulates. The new service would run alongside its existing services including the ICO’s helpline, website, and the annual data protection practitioner’s conference. ICO is currently researching the options it might develop and how to meet the needs of its stakeholders when delivering this forum. Respondents have been invited to provide their opinions on how this new service might work for them, and their responses will be anonymous and processed in line with the ICO’s privacy policy. The deadline for responses is 5 pm on 14/04/2023. Answer the questions to the survey here.

Italy: Garante suspends ChatGPT, OpenAI pledges cooperation

Italy’s Data Protection Authority (DPA) has temporarily halted ChatGPT’s data processing activities for Italian users due to privacy concerns. OpenAI, the platform’s developer, is under investigation following a data breach that exposed user conversations and payment information. The DPA criticizes the lack of user notifications, legal basis for data collection, and inaccuracies in ChatGPT’s information. Additionally, the absence of age verification systems exposes minors to unsuitable content. OpenAI faces fines up to €20 million or 4% of annual global turnover if it fails to comply within 20 days.

OpenAI confirmed their willingness to cooperate with the Italian DPA to address concerns regarding ChatGPT. During a videoconference with Garante, the company pledged to enhance transparency, strengthen mechanisms for user rights, and improve safeguards for minors. OpenAI will submit a document outlining measures to meet the DPA’s requests, which the authority will assess before making a decision on the existing order against OpenAI. Read the press releases here and here.


BEUC calls for investigation into ChatGPT and similar chatbots

The European Consumer Organisation (BEUC) urges EU and national authorities to investigate ChatGPT and similar chatbots due to a complaint filed by the US-based Center for AI and Digital Policy (CAIDP) with the US Federal Trade Commission. With the world’s first AI legislation, the AI Act, in development by the EU, BEUC warns of potential consumer vulnerability during the interim years before its implementation. BEUC Deputy Director General, Ursula Pachl, highlights rapid ChatGPT adoption and concerns about deception and manipulation. She calls for immediate investigation of ChatGPT and similar chatbots by EU and national authorities, emphasizing the need for increased public scrutiny and control over AI systems. Read the press release here.

Meta switches to “legitimate interest” for ads, noyb plans legal action

Following noyb’s success in complaints against Meta (Facebook and Instagram), the company is transitioning from an unlawful contract legal basis to the “legitimate interests” legal basis for processing user data for ads, a move considered equally unlawful. Noyb plans to take immediate action, asserting that companies cannot claim their profit interests override users’ privacy rights. Previously, Meta argued personal data use for ads was “necessary under the contract” to bypass user consent. Noyb filed complaints and prevailed before the European Data Protection Board in December 2022, compelling Meta to change its approach. Instead of adopting an “opt-in” system, Meta now claims its ‘legitimate interest’ in processing user data overrides users’ privacy rights. Noyb will respond to Meta’s switch on April 5th. Read the press release here.


UK: ICO fines TikTok £12.7 million for misusing children’s data

The UK Information Commissioner’s Office (ICO) has fined TikTok Information Technologies UK Limited and TikTok Inc a total of £12.7m for multiple breaches data protection law. The ICO found that TikTok processed children’s personal data without the consent of their parents or carers and provided its services to up to 1.4 million UK children under the age of 13, despite its own rules not allowing children that age to create an account. TikTok also failed to provide proper information to users about how their data is collected, used, and shared in a way that is easy to understand. The ICO’s original notice of intent for TikTok set the fine at £27m, but this was reduced as the regulator decided not to pursue the provisional finding related to the unlawful use of special category data. Read the press release here.

Spain: AEPD fines BBVA €84,000 for GDPR Violations

The Spanish Data Protection Authority (AEPD) has concluded its sanctioning procedure against Banco Bilbao Vizcaya Argentaria (BBVA) for alleged violations of Articles 6.1 and 15 of the GDPR. BBVA acknowledged responsibility and paid a reduced fine of €84,000 within the given hearing period of ten working days. This amount includes two cumulative reductions for voluntary payment and acknowledgment of responsibility. By paying the fine, BBVA waives any actions or appeals against the sanction and admits responsibility for the facts stated in the initiation agreement. The AEPD has terminated the procedure in accordance with Article 85 of the LPACAP. The initial proposed sanctions totaled €140,000, but BBVA’s timely response allowed for a reduced amount. The full decision can be read (in Spanish) here.