Data Protection Weekly 14/2024

Apr 15, 2024

 European Union

CJUE: Opinion of the Advocate General on the supervisory authority’s obligation to act upon detection of breaches in complaint investigations

Advocate General Priit Pikamäe has delivered his Opinion in Case C-768/21, in which he considers that supervisory authorities (SA) have a duty to act when they find a personal data breach in the course of complaint investigations. This obligation exists notwithstanding the discretion allowed in selecting corrective measures, which must be appropriate, necessary and proportionate to effectively remedy the breach. In particular, SA are required to identify the most appropriate corrective measures to remedy the breach and preserve the rights of the data subjects concerned. The case arose after a German savings bank customer’s data was unauthorisedly accessed by an employee, leading to a complaint to the data protection commissioner of the German state of Hesse. Although the bank disciplined the employee, no further action was taken by the SA, leading to legal challenges. The Court of Justice of the EU was subsequently asked to clarify the powers and responsibilities of such authorities under the GDPR. You can read the press release here and the full Opinion here.

EDPS: Annual Report emphasises adaptability in a changing world

The European Data Protection Supervisor (EDPS) has presented its 2023 Annual Report, with Supervisor Wojciech Wiewiórowski focusing on the agency’s adaptability in an evolving digital and regulatory environment. The report emphasised the importance of international cooperation in enhancing data protection standards across the EU, especially in the context of AI advancements. The EDPS has contributed to legislative processes like the AI Act to promote a human-centric approach to technology that respects privacy rights. Furthermore, the EDPS has raised concerns about the potential overreach of the proposed Regulation on Child Sexual Abuse Material, which could lead to mass surveillance. As the EDPS celebrates its 20th anniversary, it reflects on its role in shaping data protection amidst rapid technological changes, preparing to address future challenges. You can read the press release here.

EDPB: CSC elects 2nd Deputy Coordinator

On 10 April 2024, the Coordinated Supervision Committee (CSC) elected Matej Sironic from the Slovenian Data Protection Authority (DPA) as its second Deputy Coordinator, joining Sebastian Hümmeler of the Federal German DPA. This election responds to the CSC’s expanding responsibilities, enabling it to better manage its oversight of the large EU Information Systems and of EU bodies, offices and agencies in accordance with Article 62 of Regulation 2018/1725 or with the EU legal act establishing the large scale IT system. The CSC operates within the European Data Protection Board framework, engaging EU DPAs and the European Data Protection Supervisor, plus Non-EU Schengen Member States’ DPAs as applicable. It currently covers the Internal Market Information system (IMI), Eurojust, the European Public Prosecutor’s Office (EPPO), Europol and the Schengen Information System (SIS), with plans to include additional IT systems and entities in the future. You can read the press release here.

ENISA: Publication of the updated version of the ‘Awareness Raising in a Box’

The European Union Agency for Cybersecurity (ENISA) has released an updated version of its ‘Awareness Raising in a Box’ toolkit, designed to improve cybersecurity culture within organisations. This comprehensive toolkit, known as AR-in-a-Box, integrates game design elements to help familiarise employees with cybersecurity concepts through interactive learning and to enhance their engagement in cybersecurity practices. The updated version has been piloted in collaboration with the Cypriot Digital Security Authority and the Cyprus National Coordination Centre for Cybersecurity, highlighting its effectiveness in promoting cyber resilience through continuous training. The toolkit not only includes a variety of instructional materials and activities but also features a new guide for developing cyber crisis communication plans, thereby supporting organisations in enhancing their communicational readiness and mitigating potential risks and damages in cybersecurity crises. You can read the full article here.

National Authorities

Spain: AEPD publishes 2023 Annual Report

The Spanish data protection authority (AEPD) has published its 2023 Annual Report, which reveals a significant increase in complaints and breaches of data protection. In 2023, the AEPD received 21,590 complaints, which represents a 43% increase from the previous year. The total fines imposed amounted to €29,817,410, which were substantial. The report also highlighted over 2,000 data breaches reported during the year. Additionally, the AEPD conducted 36 urgent interventions through its Priority Channel to remove online content that involved sexual or violent images posted without consent. In all cases, the interventions achieved immediate success. The number of registered Data Protection Officers (DPOs) increased to 111,070 from 103,350 in 2022, indicating strengthened compliance efforts across both private and public sectors. The report also highlights the AEPD’s commitment to social responsibilities, such as gender equality and protecting children and adolescents online. You can read the press release here and the full report here (both in Spanish).

UK: ICO seeks views on accuracy of generative AI models

The UK data protection authority (ICO) is currently hosting a consultation to explore how data protection laws pertain to generative AI technologies. This latest discussion, marking the third in a series, concentrates on the application of the accuracy principle to generative AI outputs and the importance of precise training data. Misapplications of these AI models could lead to significant misinformation issues and damage reputations. The consultation aims to ensure that entities involved in the development and deployment of generative AI adhere strictly to data protection standards concerning personal information accuracy. Stakeholders such as developers, legal experts, and civil groups are encouraged to contribute their perspectives until the deadline on 10 May 2024. You can read the press release here.

Denmark: Datatilsynet releases 2023 annual report

The Danish data protection authority (Datatilsynet) has published its annual report for 2023, which provides a comprehensive overview of its operational and financial performance over the past year and outlines its future objectives. The report, which is submitted annually to the Ministry of Justice, Ministry of Finance, and the National Audit Office, details the agency’s achievements in various professional activities and its financial outcomes. This yearly summary aims to offer transparency and accountability regarding the agency’s progress as it continues to navigate the evolving landscape of data protection. You can read the press release here and the full report here (both in Danish).

Netherlands: AP warns of underestimated cyber-attack risks

the Dutch data protection authority (AP) has raised concerns about the frequent underestimation of risks by organisations following cyber-attacks. According to their annual report, in 7 out of 10 cases, organisations fail to adequately assess the dangers, leading to insufficient notifications to affected individuals about their compromised data. This lack of communication prevents individuals from taking protective actions against potential fraud and other crimes. AP Chairman Aleid Wolfsen highlighted the serious implications of such data breaches, noting that criminals could use stolen data to commit fraud, such as using stolen identity documents to secure loans. In 2023, the AP received reports of over 25,000 data breaches, affecting roughly 20 million people. Wolfsen emphasised the importance of organisations maintaining trust by responsibly handling personal data and properly informing those affected by breaches. You can read the press release here (in Dutch).

Luxembourg: CNPD updates video surveillance guidelines

The Luxembourg data protection authority (CNPD) has updated its 2018 guidelines on video surveillance, taking into account recent decisions and guidelines issued by the European Data Protection Board (EDPB). The revisions clarify the purposes for installing video surveillance, the form and content of the information to be provided to individuals recorded, and specific scenarios such as video surveillance in shared residential buildings and the use of decoy cameras. The CNPD emphasises that anyone within camera view must be informed of their presence and recommends a two-layer information system: primary details displayed on a prominently sign, with a secondary, more comprehensive source of required information. The update also includes a suggested model for the primary information sign, which can be customised as needed.  You can read the press release here (in French).


US: AmericaXn Privacy Rights Act unveiled

U.S. Senator Maria Cantwell and U.S. Representative Cathy McMorris Rodgers have introduced the American Privacy Rights Act (APRA), a draft legislation aiming to standardise data privacy across the U.S. by replacing the varied state laws with a unified national framework. The proposed law would allow Americans to control their personal data more effectively, introducing measures to restrict data collection to necessary limits and enable individuals to prevent their data from being sold. It also proposes significant penalties for privacy violations, including the right for individuals to seek legal recourse. This legislation promises to impose stricter data protection and security obligations on companies, especially regarding sensitive data and targeted advertising, while exempting small businesses not engaged in data selling. The bill is currently poised for consideration through regular legislative processes. You can read the full press release here.

CFPB report  identifies financial and privacy risks to consumers in video gaming marketplaces

The Consumer Financial Protection Bureau (CFPB) has highlighted significant financial and privacy risks for consumers using online video game and virtual world platforms, which increasingly emulate traditional banking and payment systems. The CFPB’s latest report reveals that these platforms facilitate transactions involving billions of dollars, including virtual currencies, but lack sufficient consumer protections against scams, theft, and other financial harms typical under federal laws. The report notes that American consumers spent approximately $57 billion on gaming in 2023, engaging in transactions that converted real dollars into virtual currencies and other digital assets. These virtual marketplaces, while providing new financial services, have also led to increased incidents of phishing, account thefts, and inadequate customer support from gaming companies. Additionally, there are concerns about the extensive personal and behavioural data being collected by these platforms, potentially exposing users to significant privacy risks. You can read the press release here and the full report here.


France: CNIL fines HUBSIDE.STORE €525,000 for commercial prospecting practices

The French data protection authority (CNIL) has fined HUBSIDE.STORE €525,000 for misusing personal data for commercial prospecting. The fine was imposed because the company bought data from data brokers who obtained consent from individuals through misleading forms, which did not meet the GDPR’s requirements for validity. HUBSIDE.STORE, which engaged in SMS and telephone marketing without proper consent, violated the French Post and Electronic Communications Code and the GDPR. This practice also involved providing individuals with insufficient information about the use of their data, in violation of Article 14 of the GDPR. The fine, which represents approximately 2% of the company’s annual turnover, reflects the seriousness of the breaches and the scale of the prospecting activities. You can read the press release here and the full decision here (in French).

Italy: Garante imposes fines following Lazio cyber attack

The Italian data protection authority (Garante) has issued fines to LAZIOcrea, the Region of Lazio, and ASL Roma 3, in the amounts of €271,000, €120,000, and €10,000 respectively, as a response to a cyber-attack that took place overnight between 31 July and 1 August 2021. This attack, facilitated by ransomware via an employee’s laptop, significantly disrupted access to critical regional healthcare services. The Garante’s investigation concluded that both LAZIOcrea and the Region of Lazio committed serious breaches of privacy laws due to outdated systems and inadequate security measures. Moreover, ASL Roma 3 received a fine for failing to report the breach, underscoring the importance of compliance with notification obligations under privacy regulations. These penalties reflect the severity of the infractions and the accountability expected of data controllers. You can read the press release here (in Italian).

Italy: Garante fines health authority over EHR privacy breaches

The Italian data protection authority (Garante) has imposed a €75,000 fine on a local health authority (ASL) for failing to properly configure access to electronic health records (EHR). The Garante acted after receiving multiple complaints of unlawful personal data processing within the ASL’s archiving and reporting system, including instances where healthcare staff not involved in patient care could access EHRs. Notably, an ASL professional was able to view her ex-husband’s lab tests without his involvement in her medical duties. The system allowed healthcare workers to manually enter justifications for accessing EHRs, and by default, gave access to various professionals, including administrative staff, violating the Garante’s June 2015 guidelines. These guidelines demand stringent access controls to ensure only pertinent medical staff can view patient records. The Garante also ordered the ASL to implement necessary measures to secure personal data and prevent unauthorised access in the future. You can read the press release here (in Italian).