Data Protection Weekly 15/2023

Apr 13, 2023

 European Union

EDPB resolves dispute on transfers by Meta and creates task force on Chat GPT

During this week’s EDPB plenary session, the Board adopted a dispute resolution decision on the basis of Art. 65 GDPR concerning a draft decision of the Irish DPA on the legality of data transfers to the United States by Meta Platforms Ireland Limited (Meta IE) for its Facebook service. The Irish DPA now has one month to adopt and issue its final decision. With data transfers in the balance, the timing of an eventual EU-US Data Privacy Framework could be hugely significant. Furthermore, and in light of the recent enforcement action taken by the Italian DPA against OpenAI with regard to ChatGPT, the EDPB will launch a dedicated task force to foster cooperation and to exchange information on possible enforcement actions conducted by DPAs. This is potentially an important first step toward a common policy on setting privacy rules on artificial intelligence. The full EDPB press release can be read here.

European Parliament: MEPs against greenlighting personal data transfers with the U.S. under current rules

In a ‘non-binding’ resolution adopted by Civil Liberties Committee (LIBE) this week, MEPs argue that the European Commission should not grant the United States an adequacy decision; according to the LIBE Committee the proposed EU-U.S. Data Privacy Framework is an improvement, but not enough, in that it does not provide sufficient safeguards. The resolution was adopted with 37 votes in favour, 0 against, and 21 abstaining. It will now be voted on in a future plenary session of the European Parliament (EP), most likely during the 17-23 April session. For the full EP press release see here.

EDPS: Organisation of an event to mark the 5th Anniversary of the GDPR with the aim of reflecting on its Impact and future challenges

On May 23, 2023, the European Data Protection Supervisor (EDPS), the German Federal Commissioner for Data Protection and Freedom of Information, and the Bavarian Data Protection Commissioner will host a high-level event, titled “5th Anniversary of the GDPR: Still a benchmark in the EU digital landscape?”. The event will take place at the Representation of the Free State of Bavaria to the European Union in Brussels from 18:30 to 22:30. It aims to reflect on the impact of the General Data Protection Regulation (GDPR) and discuss the challenges that have emerged after five years of its application. Topics of discussion will include the practical functioning and enforcement of the GDPR and its place within the new regulatory framework, known as the digital rulebook, as well as the EU Strategy for Data. Confirmed speakers include prominent figures from the European Commission, European Parliament, Court of Justice of the European Union, and data protection authorities. More information on registration and the agenda will be available soon. Read the announcement here.

Council of Europe: elaboration of a framework convention on AI and human rights

The Council of Europe is actively working to ensure that artificial intelligence (AI) is used to promote and protect human rights, democracy, and the rule of law in the digital environment. Secretary General Marija Pejčinović Burić highlighted the vital role AI plays in today’s societies and the potential benefits and risks it poses. The Committee on Artificial Intelligence (CAI) has been mandated by the Committee of Ministers to create a framework Convention on the development, design, and application of AI based on the Council of Europe’s standards and conducive to innovation. This effort will be accompanied by sector-specific work throughout the organization, with the Council of Europe aiming to pioneer new standards that can serve as global benchmarks in a multistakeholder approach. You can read the full statement here.

National Authorities

Italy: Garante will lift temporary limitation if OpenAI implements measures

The Italian Data Protection Authority (“Garante“) has set a deadline of April 30 for OpenAI to implement several measures regarding transparency, data subject rights and other issues. If these measures are implemented, the Garante will lift restrictions on the use of ChatGPT for Italian users. The measures include providing an information notice on their website, obtaining consent or relying on legitimate interest for data processing, implementing age verification, providing tools for data subjects to request data rectification or erasure, and promoting an information campaign about personal data use in algorithms by May 15. The Garante may take further action if these measures are not met. Read the press release here and the full decision here.

UK: ICO responds to Government’s AI white paper

The Information Commissioner’s Office (ICO) has published its response to the Government’s AI White Paper, emphasizing the importance of minimizing additional burdens or complexities for businesses. The ICO suggests close collaboration with the government to ensure compatibility between AI White Paper principles and data protection principles. They also recommend prioritizing research into guidance valued by various AI developers before proceeding. The ICO encourages the government to collaborate with regulators and the Digital Regulation Cooperation Forum (DRCF) to achieve its objectives. Read the full response here.

Spain: AEPD publishes blog post on AI systems in data processing

The Spanish Data Protection Authority (“AEPD”) has published a new blog post entitled AI: Systems vs Processing, Means vs Purposes, focusing on the role of AI systems in data processing. The post highlights that AI systems are merely tools to implement data operations on processing activities, rather than the final purpose of data processing itself. AEPD emphasizes that controllers are responsible for determining whether AI system results imply automatic decisions or require human supervision. The blog post uses a recruitment process example to illustrate how AI systems can be integrated into various operations, while the controller decides on the level of human involvement. The AEPD aims to clarify the role of AI systems and their potential impact on data subjects’ rights and freedoms. You can read the complete blog post here.

Spain: AEPD requests EDPB to discuss ChatGPT privacy concerns

The Spanish Data Protection Authority (AEPD) has asked The European Data Protection Board to evaluate privacy concerns surrounding OpenAI’s ChatGPT, amid increasing global scrutiny of artificial intelligence (AI) systems. The AEPD’s request comes as France’s privacy watchdog CNIL investigates several complaints about ChatGPT, and Italy’s data protection supervisor reviews measures proposed by OpenAI following a temporary ban on the chatbot. Other European privacy regulators are also considering whether stricter measures are necessary for chatbots and if such actions should be coordinated. Read the full article here.

Romania: ANSPDCP solicits public consultation on draft decision on code of conduct for monitoring bodies

Romania’s Data Protection Authority (ANSPDCP) has announced a public consultation on the draft decision regarding the approval of accreditation requirements for code of conduct monitoring bodies under Article 41 of GDPR. The accreditation requirements were submitted to the European Data Protection Board for evaluation, which issued Opinion no. 3/2023 in accordance with Article 64 of GDPR. Interested parties are invited to submit their proposals, suggestions, and opinions to ANSPDCP via email at within 10 calendar days from the publication date of the announcement. You can read the press release (in Romanian) here and the full draft decision (in Romanian) here.


Tesla employees accused of sharing sensitive customer data

A recent special report alleges that between 2019 and 2022, Tesla employees privately shared sensitive images and videos recorded by customers’ car cameras through an internal messaging system. The shared content included embarrassing situations involving Tesla customers and accidents such as road-rage incidents. Tesla’s Customer Privacy Notice claims that the camera recordings “remain anonymous and are not linked to you or your vehicle.” However, former employees interviewed by Reuters stated that the software they used at work could reveal the location of the recordings, potentially exposing a customer’s residence. The extent of this practice and whether it continues today remain unknown. You can read the full article here.

Cookie fatigue: The questions facing the EU Commission initiative

EU Justice Commissioner Didier Reynders announced the launch of a voluntary initiative to address the growing ‘cookie fatigue’ of internet users, namely the fact of having to continuously consent or refuse the processing of their data when landing on a website. The European Commission wants to discuss with stakeholders how to improve consumer awareness of online tracking and alternatives to tracking-based advertising as part of its exercise to reach a voluntary pledge to phase out cookies before the year’s end. The article can be read here.


Romania: ANSPDCP imposes €5,000 fine on REGENCY COMPANY for multiple GDPR violations

Romania’s Supervisory Authority  (ANSPDCP) concluded an investigation into REGENCY COMPANY SRL, finding violations of Article 5 (1) (a), (b), and (c) in relation to Article 6 of Regulation (EU) 2016/679 (GDPR). As a result, the company received a fine of 14,764.2 lei (equivalent to 3,000 EUR). The investigation began after a complaint from an individual who reported possible GDPR violations, such as employees and collaborators being audio/video monitored at their workplace without consent. The company was found to have processed personal data without adhering to proper processing principles or having a legal basis for the intrusion into employees’ private lives. The company was ordered to take corrective measures, including removing video surveillance cameras installed in offices and the dining room, where there was no legal basis for processing employees’ personal data under Article 6 of the GDPR. Read the press release (in Romanian) here.

Austria: Austrian DPA rules against “Pay or Okay” model by Der Standard

The Austrian Data Protection Authority (DPA) has ruled that the “Pay or Okay” model used by Austrian newspaper Der Standard is partially illegal. The model, which spread to Germany and the EU, requires readers to choose between having their data processed or purchasing a subscription. While the DPA confirmed the general permissibility of the model, it specified that users must be able to give specific consent for data processing as required by the GDPR. The decision leaves the implementation of a legally compliant subscription model unclear, and the economic issues raised by privacy advocacy group noyb were not addressed by the DPA. Both noyb and Der Standard are expected to appeal the decision, which may ultimately be decided by the European Court of Justice. You can read the DPA decision on Der Standard (in German) here and noyb’s article here.